Support groups info through OIDC

[pkking]

As we have a basic support for OIDC, there's another feature we need so that we do not lost any functions when switching to OIDC.
Copr should have ability to fetch user's group info from Idp.

As group info is not covered by OIDC spec, but most of OIDC providers(etc google/auth0) support custom claim

I also talk to openEuler infra team, they can add the a group scope in the OIDC provider but i have no idea what fedora OIDC provider can do.

So here's my idea: add a config item: OIDC_type(such as: google/openEuler/fedora. etc), for each type, we can have a specified impl to grab the group info

Now i'd like hear from you and what you say about this proposal :)

[praiskup]

@FrostyX has took a look on what group support in Fedora OIDC, and so far no success, work in progress.

[pkking]

Hi, @FrostyX @praiskup , we have some experience on OIDC group info before because we try to get it into our jenkins cluster, in jenkins story, our OIDC userinfo endpoint will return a list of groups if a group scope is provided such as:

{
  "sub": "user123",
  "name": "John Doe",
  "email": "[email protected]",
  "groups": [
    "dev-utils",
    "eBPF",
    "kernel"
  ]
}

Im trying to find a way to let authlib to work in this way :)

[pkking]

seems lepture/authlib#549 will works like a charm

[pkking]

I think we should wait Fedora guys to finish their OIDC adaptation, the #2836 works well in openEuler now :)