OpenID authentication with external ID Provider

[Gaetanbrl]

Description

This pull request match with georchestra/improvement-proposals#9

This contribution enables you to connect with an identity provider as ProConnect (see proposal details).

⚠️ This PR requires that the contribution be accepted (contains ldap / commons required changes) :
georchestra/georchestra#4382
Without this prerequisite, this PR's GitHub Actions can't build properly.

Contains

• Documentation - example to use ProConnect (such as France Connect example)
• Fix - Use JWT to read /userInfos endpoint response (see Auth fail with external userInfos returned as JWT type #168)
• Use correct / custom provider button (ProConnect - Display and use dedicated button  #157 Improved new provider button integration #165)
• Logout user -> needs correct mapping with proconnect redirect logout URL
• Documentation - insert all new parameters
• On authent, create new org according to orgUniqueId field given by Provider if not exists in georchestra (ProConnect - User and organization mapping #158)
• On authent, change user's org (just change, create new one or affect to the correct org if already exists) according to provider org's (see new field orgUniqueId contribution to get more details) ((ProConnect - User and organization mapping #158))
• Create gateway configuration (YAML) to map expected orgUniqueId, email, family_name, fiven_name, organization, id fields with provider's claims (e.g SIRET with ProConnect) (ProConnect - use, adapt or config gateway #160 Claims mapping limitation #176)
• Use user's email to retrieve / compare between georchestra and provider if needed (ProConnect - use, adapt or config gateway #160)
• Use configuration to use user's email as ID field (ProConnect - use, adapt or config gateway #160)
• Search an Org by orgUniqueId field
• Use provider's configuration to retrieve org by orgUniqueId field (ProConnect - store SIRET in new uniqueOrganisationId field #159 ProConnect - use, adapt or config gateway #160 )
• Regression tests with FranceConnect -> I can't test
• Regression tests without OAuth2 -> I can't test
• IT (if needed ?)
• (Other PR) - Use moderatedSignup config from datadir to set default pending status (ProConnect - Default pendings status from datadir config #156)
• Change POM version number (currently tagged -jdev- to keep nativ mvn build and images)
• clean commits tree (squash ready)
• Rebase / align with master
• GitHub actions (Note : build required ldap / commons / ldap-account-management .... from [ProConnect] - ldap, console - new attribute and field orgUniqueId  georchestra#4382)

[Gaetanbrl]

Further to a discussion with @pmauduit @f-necas @cmangeat :

1. Use moderatedSignup config from datadir to set default pending status

...Will be moved to a dedicated pull request

2. configuration (YAML) to map expected orgUniqueId, email, family_name, fiven_name, organization, id fields with provider's claims

This config will be in georchestra.gateway.security.oidc.claims.

A sub georchestra.gateway.security.oidc.claims.provider.<provider_name> section will allow you to specify custom claims mapping by supplier :

georchestra:
  gateway:
    security:
      oidc:
        claims:
          id.path:
            - "$.iduser"
            - "$.sub"
          provider:
            <provider_name>:
               id.path: ""

4. About test

It's currently hard to test locally or create automate testing due to many queries with the service provider.

It appear as easier to test this PR in pre production environment (needs client_secret, client_id according to proconnect process / form).

[Gaetanbrl]

Need a (nightmare) rebase / merge again after last main changes...

#179

[Gaetanbrl]

@groldan do you have any other changes planned for the gateway? If so, I'll wait before rebasing again.

[groldan]

@Gaetanbrl mothing big, just rewriting it in rust. Sorry for causing you merge conflicts, it's the nature of the beast though

[Gaetanbrl]

Hi,
PR ready for a first review.

From my understanding, Github Actions failed due to depandancies.
Indeed, this PR needs georchestra/georchestra#4382 .

Thanks.