Remove the 'Authorize Access' screen from the login flow

[david-martin]

Remove this

The reason I'm asking for this is improve the login flow & user experience for a setup where multiple middleware products are running on an OpenShift cluster.
The goal in this scenario is to have a smooth single signon experience where the user only signs in once e.g. to openshift, and is seamlessly signed into all other products that are pre-installed in the openshift cluster

This Authorize Access screen doesn't make sense in the context of single signon across a number of products from the 1 provider.
It introduces an extra step in the flow, which:

• lengthens the time to get into the console
• makes the user more aware of some single sign in mechanism at play (ideally they don't see it, and have just logged in once for all middleware products, including openshift)
• may even be confused by this message and look for help/support on what it means

It is my understanding the reason for this message popping up is because a ServiceAccount OAuth Client is used to provide openshift identity against EnMasse's keycloak.
One option to avoid this is to use a full OAuth Client that has a grandMethod of auto.
There may be other options

[k-wall]

EnMasse doesn't actually need the user:info at all - we never present the name (or anything else) about the user back to them. So, what we need is a way to suppress the requesting of the permission in the first place. @rgodfrey suggests looking at the "disable user info" option that is available when creating an identity provider.

[k-wall]

From looking at keycloak I see disableUserInfo disallows use the user info endpoint. I don't think this will help us.

EnMasse doesn't need the information from the user:info scope. The request for this scope is originating from a default (org.keycloak.social.openshift.OpenshiftV3IdentityProvider#DEFAULT_SCOPE) within the openshift provider within keycloak. Unfortunately, the provider does not allow the scope parameter to be omitted from the endpoint request.

The way we can solve this problem is switch from the use of the service account constrained form of OAuth client to a normal oauth client. The full form supports a grantMethod attribute which controls the workflow used when this client requests tokens and has not yet been granted access by the user. It supports an auto grant option which grants the scope without interaction from the user.

I've tested this approach on the command line, switch from the service account to the created one. It confirms that the step from the workflow is removed. Implementing this solution should be a case of refactoring templates/build/enmasse-latest/ansible/roles/standard_authservice_config/tasks/main.yml to create the oauth client (and a secret) rather than use the service account. No changes to keycloak controller required. The tests that interact with the authorise step will need to be changed.