security/tests: add OIDC authenticate group benchmark tests

[nguyen-andrew]

This commit adds benchmark tests for the OIDC authenticate function testing group claim extraction performance across multiple dimensions:

• Group counts: 0, 1, 10, 100, and 1000 groups
• Formats: JSON array (["g1", "g2"]) vs comma-delimited string ("g1,g2")
• Nesting: flat names vs nested paths with suffix extraction

CORE-15161

Backports Required

• none - not a bug fix
• none - this is a backport
• none - issue does not exist in previous branches
• none - papercut/not impactful enough to backport
• v25.3.x
• v25.2.x
• v25.1.x

Release Notes

• none

[Copilot]

Pull request overview

This PR adds comprehensive benchmark tests for the OIDC authenticate function to measure group claim extraction performance. The benchmarks test various scenarios including different group counts (0, 1, 10, 100, 1000), different formats (JSON array vs comma-delimited string), and different nesting behaviors (flat vs nested with suffix extraction).

Key Changes:

• Added a new benchmark test file oidc_authenticator_bench.cc with 17 performance test cases
• Updated the BUILD file to include the new benchmark target

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
src/v/security/tests/oidc_authenticator_bench.cc	New benchmark test file implementing 17 performance tests for OIDC authenticate function across different group configurations
src/v/security/tests/BUILD	Added new redpanda_cc_bench target for the OIDC authenticator benchmark

[vbotbuildovich]

CI test results

test results on build#78618

test_class	test_method	test_arguments	test_kind	job_url	test_status	passed	reason	test_history
ShadowLinkingRandomOpsTest	test_node_operations	{"failures": true}	integration	https://buildkite.com/redpanda/redpanda/builds/78618#019b9640-d70b-4b07-bb66-7ad47574ab6d	FLAKY	10/11	Test PASSES after retries.No significant increase in flaky rate(baseline=0.0000, p0=1.0000, reject_threshold=0.0100. adj_baseline=0.1000, p1=0.3487, trust_threshold=0.5000)	https://redpanda.metabaseapp.com/dashboard/87-tests?tab=142-dt-individual-test-history&test_class=ShadowLinkingRandomOpsTest&test_method=test_node_operations

[michael-redpanda]

Looks really good, couple of nits. Can you also post results?

[nguyen-andrew]

Force push to address comments.

[nguyen-andrew]

Force push - forgot to run clang_format

[nguyen-andrew]

Here are the results I gathered running locally on my dev machine:

[bench-wrapper] running benchmark : oidc_authenticator_bench_rpbench_binary
[bench-wrapper] verbose=0, exec_in_shm=1, redirect_stderr=0, disable_aslr=1
[bench-wrapper] rundir            : /dev/shm/vectorized_io
[bench-wrapper] command           : src/v/security/tests/oidc_authenticator_bench_rpbench_binary --blocked-reactor-notify-ms 2000000 --abort-on-seastar-bad-alloc -m1GiB -c1
[bench-wrapper] REDPANDA_RNG_SEEDING_MODE=(unset) REDPANDA_RNG_SEEDING_MODE_DEFAULT=fixed 
INFO  2026-01-07 11:18:43,241 seastar - Reactor backend: linux-aio
INFO  2026-01-07 11:18:43,241 [shard 0:main] io - IO queue was unable to find a suitable maximum request length, the search was cut-off early at: 16MB
INFO  2026-01-07 11:18:43,241 [shard 0:main] io - IO queue was unable to find a suitable maximum request length, the search was cut-off early at: 16MB
single run iterations:    0
single run duration:      1.000s
number of runs:           5
number of cores:          1
random seed:              4241113714

test                                                           iters            runtime     allocs      tasks       inst     cycles
oidc_authenticator_bench.0_groups                           10661610    92.53ns ± 0.17%      0.000      0.000    2041.00      513.0
oidc_authenticator_bench.1_group_as_array_not_nested         8376109   119.48ns ± 0.27%      4.000      0.000    2633.00      661.0
oidc_authenticator_bench.10_groups_as_array_not_nested       4946652   201.58ns ± 0.20%      4.000      0.000    3722.00     1121.5
oidc_authenticator_bench.100_groups_as_array_not_nested       965498     1.03µs ± 0.03%      4.000      0.000   14432.00     5751.1
oidc_authenticator_bench.1000_groups_as_array_not_nested      103620     9.67µs ± 0.26%      4.000      0.000  121819.01    53664.8
oidc_authenticator_bench.1_group_as_string_not_nested        5929725   170.90ns ± 0.76%      8.000      0.000    4460.00      936.0
oidc_authenticator_bench.10_groups_as_string_not_nested      3097288   324.14ns ± 0.09%     11.000      0.000    8484.00     1780.0
oidc_authenticator_bench.100_groups_as_string_not_nested      581761     1.72µs ± 0.08%     14.000      0.000   46669.00     9519.1
oidc_authenticator_bench.1000_groups_as_string_not_nested      62582    15.92µs ± 0.36%     17.000      0.000  444495.02    88028.8
oidc_authenticator_bench.1_group_as_array_nested             8220849   121.39ns ± 0.14%      4.000      0.000    2705.00      672.0
oidc_authenticator_bench.10_groups_as_array_nested           4837667   206.75ns ± 0.13%      4.000      0.000    4442.00     1145.9
oidc_authenticator_bench.100_groups_as_array_nested           927664     1.07µs ± 0.17%      4.000      0.000   22262.00     5958.7
oidc_authenticator_bench.1000_groups_as_array_nested           96439    10.36µs ± 0.18%      4.000      0.000  206980.01    57618.4
oidc_authenticator_bench.1_group_as_string_nested            5716920   176.27ns ± 0.11%      8.000      0.000    4652.00      963.9
oidc_authenticator_bench.10_groups_as_string_nested          2745118   351.45ns ± 0.09%     11.000      0.000   10404.00     1927.5
oidc_authenticator_bench.100_groups_as_string_nested          497011     2.01µs ± 0.08%     14.000      0.000   66499.00    10983.1
oidc_authenticator_bench.1000_groups_as_string_nested          52916    18.81µs ± 0.13%     17.000      0.000  649725.03   103078.6
[bench-wrapper] benchmark completed successfully

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

[michael-redpanda]

lgtm