Add PKCEAuthenticator implementation in Rust

[austin362667]

Tracking issue

flyteorg/flyte#5344

Why are the changes needed?

To upgrade a gRPC channel to an authenticated one, we must obtain the credentials that will be attached to every gRPC call, similar to what the Flytekit Remote Client does.

There are several ways to achieve this goal, for example:

1. Passing credentials from a Python authenticator to a Rust client through a keyring.
2. Setting OAuth2 endpoints and secrets in the client-side configuration file. This is not the ideal way; we should also be able to fetch remote credentials and auth API endpoints from the server via the OAuth metadata gRPC service.

So we can narrow down our choices to the following approach:
Implement the OAuth flow in Rust, at least supporting the PKCE flow.

Here are some useful packages:

• https://docs.rs/oauth2/latest/oauth2/
• https://docs.rs/keyring/latest/keyring/

Moreover, even we can pass authenticated credentials from original Python authenticator into Rust channel, it seems much ado about nothing.

Because if we can't have a pure and lite gRPC client with authentication-included in Rust, It can be challenging for them to authenticate without a Python environment, If someone wants to only enable Rust remote in their Rust code.

Considering the two aforementioned options, we can still retain the ability to return authenticated credentials from Python and reimplement another new oauth2 authenticator in Rust.

What changes were proposed in this pull request?

How was this patch tested?

WIP

1. cargo run executes authenticator::PKCEAuthentication(); at src/main.py.
2. Browse to auth_url by clicking a link (will open a new browser tab).
   
3. SSO with first time user.
   
4. After being redirected back to our callback server automatically, the success message was shown on the web page.
   
5. Trade the PKCE code for a access_token.
   

Setup process

admin:
  endpoint: localhost:30080
  insecure: true


server:
  httpPort: 30081 
  grpc:
    port: 30080
  grpcServerReflection: true
  kube-config: $HOME/.flyte/sandbox/kubeconfig
  security:
    secure: false
    useAuth: true
    allowCors: true
    allowedOrigins:
      # Accepting all domains for Sandbox installation
      - "*"
    allowedHeaders:
      - "Content-Type"

auth:
  authorizedUris:
    - http://localhost:30080
  appAuth:
    authServerType: External
    thirdPartyConfig:
      flyteClient:
        clientId: 0oahcbgg2hCAmwK0i5d7
        redirectUri: http://localhost:53593/callback
  userAuth:
    openId:
      baseUrl: https://dev-64186876.okta.com/oauth2/aushcaw1zmUwJrngp5d7
      scopes:
        - profile
        - openid
        - offline_access
      clientId: 0oahcbgg2hCAmwK0i5d7 # TODO: add flytconsole clientId and clientSecret

You need to set up the external authentication provider, like Auth0

Screenshots

• Storage and retrieval with KeyRing.
  

Check all the applicable boxes

• I updated the documentation accordingly.
• All new and existing tests passed.
• All commits are signed-off.

Related PRs

Docs link

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Please upload report for BASE (flyrs@66c0f02). Learn more about missing BASE report.

❗ Current head e80d21c differs from pull request most recent head 86dce17

Please upload reports for the commit 86dce17 to get more accurate results.

Additional details and impacted files

@@           Coverage Diff            @@
##             flyrs    #2416   +/-   ##
========================================
  Coverage         ?   87.56%           
========================================
  Files            ?       37           
  Lines            ?     1608           
  Branches         ?        0           
========================================
  Hits             ?     1408           
  Misses           ?      200           
  Partials         ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.