Add support for OpenID Connect authorisation

[pete-w]

Is your feature request related to a problem? Please describe.
ARC has no built in mechanism to automatically authorise via an OpenID Connect id token. OpenID Connect is a layer on top of OAuth2.0 implemented by a number of common public auth providers. In addition to the standard OAuth2 access and renew tokens it also returns an id token. In some situations it is desirable to use the id token rather than the access token as the subsequent request bearer token.

Describe the solution you'd like
Add the following to the AUTHORIZATION tab:

1. Add OIDC to the Select authorization dropdown after OAuth 2 that has the same fields and behaviour at OAuth 2 with additional as below:
2. New Issuer URI field just before any other URI fields. Upon entering a URI here, ARC will call <<issuer-uri>>/.well-known/openid-configuration (as most providers implement Discovery) and where possible pre-populate the other URIs from the retrieved JSON config.
3. Prepopulate the Scopes field with openid.
4. Change the REQUEST ACCESS TOKEN button to REQUEST TOKENS or similar.
5. Upon clicking the button, perform the existing OAuth2 flow and display all tokens (access, renew & id) from the response.
6. Change the Current token label to Current tokens expiring <<when>> where <<when>> is derived from the response stated issue and expiry info. [Optionally] change the label to Expired tokens when the time has lapsed.
7. Add a Bearer token label and radio button in front of the access and id tokens to use the user selected token for the Authorisation header for the main request as is currently done with just the access token.
8. Drink beer and celebrate a job well done 🍺.

Additional context
This feature request stems from #245.

[jarrodek]

Thanks for the explainer. It's very helpful.
I can say that I will implement it but it won't be as quick as your other requests :) This one will take a long time to develop appropriate UIs, then authorization logic, then bindings to ARC. Last time when I did this it took few weeks (right now I am working on ARC in the evenings splitting my time between here and my YouTube project). I will get back to this after implementing current roadmap item (new requests actions) and combine it with PKCE for OAuth 2.

[jarrodek]

Unless you want to help :)

[pete-w]

I'll pull down the source and have a look - given it is generally extending OAuth2 behaviour I should be able to work it out without too much grief (he says hopefully...) You okay if I email you direct with any questions? Or do you have a prefered chat handle?

[pete-w]

Okay, it's in Node, not Java - a bit more effort required...
I guess it did begin life as a Chrome plugin so fair enough :-)

[jarrodek]

You can contact me at my github username @gmail.com. I'll be happy to help.
Originally ARC was written in Java using GWT and then transpiled to JavaScript. It changed long time ago though. If you are not a web developer than it's OK. I will do this eventually.

[jarrodek]

Sorry for the long time waiting to take care of this but it was rather complex change.
All UIs and the logic is already implemented. This will be released sometime this month.