feat(iam): add user login tracking fields

config/crd/bases/iam/iam.miloapis.com_users.yaml

@@ -146,6 +146,16 @@ spec:
                   - type
                   type: object
                 type: array
+              lastLoginPerProvider:
+                additionalProperties:
+                  type: string
+                description: |-
+                  LastLoginPerProvider tracks the most recent login timestamp for each identity provider
+                  that the user has used to authenticate. The map key is the provider name (e.g., "github", "google")
+                  and the value is the RFC3339 timestamp of the last successful login via that provider.
+                  This field is updated by the auth provider when processing idpintent.succeeded events.
+                  Note: This event is only triggered during actual IDP login, not on token refresh.
+                type: object
               lastLoginProvider:
                 allOf:
                 - enum:
@@ -159,6 +169,14 @@ spec:
                   user to log in (e.g., "github" or "google"). This field is set by the auth provider
                   based on authentication events.
                 type: string
+              lastTokenIntrospection:
+                description: |-
+                  LastTokenIntrospection records the timestamp of the most recent successful token introspection
+                  for this user. This is updated during authentication webhook calls when validating access tokens,
+                  which occurs more frequently than actual IDP logins (including token refreshes).
+                  The value is an RFC3339 timestamp.
+                format: date-time
+                type: string
               registrationApproval:
                 description: |-
                   RegistrationApproval represents the administrator’s decision on the user’s registration request.

docs/api/iam.md

@@ -3827,6 +3827,17 @@ populated by the auth provider or any service that provides a user avatar URL.<b
             <i>Default</i>: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>lastLoginPerProvider</b></td>
+        <td>map[string]string</td>
+        <td>
+          LastLoginPerProvider tracks the most recent login timestamp for each identity provider
+that the user has used to authenticate. The map key is the provider name (e.g., "github", "google")
+and the value is the RFC3339 timestamp of the last successful login via that provider.
+This field is updated by the auth provider when processing idpintent.succeeded events.
+Note: This event is only triggered during actual IDP login, not on token refresh.<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>lastLoginProvider</b></td>
         <td>string</td>
@@ -3836,11 +3847,23 @@ user to log in (e.g., "github" or "google"). This field is set by the auth provi
 based on authentication events.<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>lastTokenIntrospection</b></td>
+        <td>string</td>
+        <td>
+          LastTokenIntrospection records the timestamp of the most recent successful token introspection
+for this user. This is updated during authentication webhook calls when validating access tokens,
+which occurs more frequently than actual IDP logins (including token refreshes).
+The value is an RFC3339 timestamp.<br/>
+          <br/>
+            <i>Format</i>: date-time<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>registrationApproval</b></td>
         <td>enum</td>
         <td>
-          RegistrationApproval represents the administrator’s decision on the user’s registration request.
+          RegistrationApproval represents the administrator's decision on the user's registration request.
 States:
   - Pending:  The user is awaiting review by an administrator.
   - Approved: The user registration has been approved.

pkg/apis/iam/v1alpha1/user_types.go

@@ -106,6 +106,22 @@ type UserStatus struct {
 	// +kubebuilder:validation:Enum=github;google
 	LastLoginProvider AuthProvider `json:"lastLoginProvider,omitempty"`
 
+	// LastLoginPerProvider tracks the most recent login timestamp for each identity provider
+	// that the user has used to authenticate. The map key is the provider name (e.g., "github", "google")
+	// and the value is the RFC3339 timestamp of the last successful login via that provider.
+	// This field is updated by the auth provider when processing idpintent.succeeded events.
+	// Note: This event is only triggered during actual IDP login, not on token refresh.
+	// +kubebuilder:validation:Optional
+	LastLoginPerProvider map[string]string `json:"lastLoginPerProvider,omitempty"`
+
+	// LastTokenIntrospection records the timestamp of the most recent successful token introspection
+	// for this user. This is updated during authentication webhook calls when validating access tokens,
+	// which occurs more frequently than actual IDP logins (including token refreshes).
+	// The value is an RFC3339 timestamp.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Format=date-time
+	LastTokenIntrospection *metav1.Time `json:"lastTokenIntrospection,omitempty"`
+
 	// AvatarURL points to the avatar image associated with the user. This value is
 	// populated by the auth provider or any service that provides a user avatar URL.
 	// +kubebuilder:validation:Optional