Configure how RabbitMQ determines the username from an OAuth 2.0 token

[MarcialRosales]

This PR is about configuring how RabbitMQ determines the username from an OAuth 2.0 token (a.k.a. JWT).

There are two situations where RabbitMQ needs to determine the username:

• when we display t in the management ui
• when logging activity related to the user, such as User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth

Current implementation
RabbitMQ first looks up if a username was provided along with the token. This is possible when we authenticate via one of the messaging protocols, e.g. amqp. The username field should be left blank and the password carries the JWT. However, if the username field is present, RabbitMQ uses that field. If the username is not present, RabbitMQ uses the sub claim and if it does not have it either, it uses the client_id claim.

Problems with the current implementation

• I think the username should be determined exclusively from the token and not from the provided username along with the access_token as password.
• The majority of Identity Providers use the sub field for some internal primary key associated to the user. When the user logs in to the management ui, it is not a good experience to show an identity the user does not relate to.

Proposed changes
This PR adds a new setting to the auth2 backend plugin that allows you to specify one or multiple claims which are used to determine the user's identity. For instance, UAA typically sets the user's identity in the user_name claim. In this case, we would configure RabbitMQ to look for user_name first and then for email.

[
  {rabbitmq_auth_backend_oauth2, [
   ...
    {preferred_username_claims, [ <<"user_name">>, <<"email">> ]}
    ....
  ]},
].

Types of Changes

What types of changes does your code introduce to this project?
Put an x in the boxes that apply

• Bug fix (non-breaking change which fixes issue #NNNN)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause an observable behavior change in existing systems)
• Documentation improvements (corrections, new content, etc)
• Cosmetic change (whitespace, formatting, etc)
• Build system and/or CI

Checklist

Put an x in the boxes that apply.
You can also fill these out after creating the PR.
If you're unsure about any of them, don't hesitate to ask on the mailing list.
We're here to help!
This is simply a reminder of what we are going to look for before merging your code.

• I have read the CONTRIBUTING.md document
• I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq)
• I have added tests that prove my fix is effective or that my feature works
• All tests pass locally with my changes
• If relevant, I have added necessary documentation to https://github.com/rabbitmq/rabbitmq-website
• If relevant, I have added this change to the first version(s) in release-notes that I expect to introduce it

Further Comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc.

[MarcialRosales]

This PR has been merged onto #6015