[GEOS-10646] OAuth access tokens

[davidblasby]

This PR is improving the support for Bearer Tokens. See the updated GS OpenID documentation for setup and usage.

Issue: https://osgeo-org.atlassian.net/browse/GEOS-10646

Summary: attach an Access Token to your HTTP requests - useful for automated (i.e. desktop/remote web) access of the REST api.

There was already some partial support for Bearer tokens. This PR improves it.

1. There is now better token validation (see GS doc + OIDC specification). This improves security.
2. Since you cannot use ID Tokens with attached access tokens, I added two new ways to get user groups:
   a) from the "userinfo" endpoint (recommended for KeyCloak)
   b) from the MS Graph API (only for MS Azure AD)
3. There is a configuration on the OIDC web page to turn on/off bearer tokens
4. I added some minor validation to the OIDC web page
5. Added a few test cases
6. Updated documentation for Attached Bearer Tokens
7. Tested with Keycloak and Azure AD
8. I attach the "userinfo" results to the incomming request (in the same manner as the ID/Access tokens + other spring stuff)
9. I attach a flag to the incomming request indicating if the authentication is BEARER or USER (in the same manner as the ID/Access tokens + other spring stuff)

Checklist

• I have read the contribution guidelines.
• I have sent a Contribution Licence Agreement (not required for small changes, e.g., fixing typos in documentation).
• First PR targets the main branch (backports managed later; ignore for branch specific issues).
• All the build checks are green (see automated QA checks).

For core and extension modules:

• New unit tests have been added covering the changes.
• Documentation has been updated (if change is visible to end users).
• [n/a] The REST API docs have been updated (when changing configuration objects or the REST controllers).
• [GEOS-10646] There is an issue in the GeoServer Jira (except for changes that do not affect administrators or end users in any way).
• [squash on merge] Commit message(s) must be in the form [GEOS-XYZWV] Title of the Jira ticket.
• Bug fixes and small new features are presented as a single commit.
• Each commit has a single objective (if there are multiple commits, each has a separate JIRA ticket describing its goal).

[jodygarnett]

Thanks for the comments; this is the rare case where keeping commented out code in the codebase may be worthwhile.

[jodygarnett]

One trick I do is to do an:

private static boolean DEBUGGING = false;

if (DEBUGGING) {
   // some stuff that would otherwise be commented out
}

May have to do a PMD ignore to get that passed QA checks but at least the debugging code will still be compiled.

[jodygarnett]

Suggested change

	* This is a simple token validator that runs a list of TokenValidators. This doesn't do any
	* This is a token validator that runs a list of TokenValidators. This doesn't do any

[jodygarnett]

I appreciate the TokenValidator interface and classes. I would like one of the other teams using OAuth to review (but I understand they may not be interested in bearer tokens at this time).

[jodygarnett]

Update from today's meeting:

• Ask @taba90 or @afabiani to review due to number of files changes
• Double check tests have been run locally, since some tests already extract credentials

[taba90]

Overall looks good, tests passed running them locally. I've done some tests and it works fine.
I've added some minor comments.

[taba90]

Suggested change

	e.printStackTrace();
	e.printStackTrace();

please remove printStackTrace();

[davidblasby]

made it log (shouldn't throw unless someone makes a type on the above line)

[taba90]

this piece of code seems equal to the one in the getRolesFromToken method. Maybe extracting common parts in a separate method would be better.

[davidblasby]

refactored

[taba90]

I would catch this since if the attribute is not present this will throw exception blocking the user to be authenticated ( it will not throw an IOException catched in the OAuth2Filter superclass). It should be fine to just reuse the extracFromJSON static method above.

[davidblasby]

I created another extractFromJSON(), based on Map (instead of a JSON string).

[taba90]

Since bearer authentication was already working although without validation of the token, maybe this flag could be kept as true by default.

[davidblasby]

I changed it to true. I was a bit worried leaving bearer tokens as the default.

[davidblasby]

@taba90 - thanks for the review!

[davidblasby]

FYI - rebased due to test case failure (not to do with this pr)

[davidblasby]

@taba90 - ready to merge?

[taba90]

looks good to me, merging...