Allow override of OIDC config at <issuerUrl>/.well-known/openid-configuration

[jameshbarton]

Is your feature request related to a problem? Please describe.
Currently, a number of OIDC configuration settings are derived by Gloo Edge by inspecting the values at <issuerUrl>/.well-known/openid-configuration. Sometimes Okta users in particular need to change these settings to use endpoints that are not associated with the sub-domain that Okta assigns them.

Describe the solution you'd like
OIDC users should be able to override one or more of the configuration settings derived from the .well-known/openid-configuration endpoint to point to alternatives available from their service provider.

[kdorosh]

User-provided API for OIDC in Gloo lives on the AuthConfig CRD:

gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto

Line 247 in c44fa1d

OidcAuthorizationCode oidc_authorization_code = 1;

We also have the in-memory API that gets sent from Gloo Edge Enterprise to the Gloo Edge Enterprise Extauth service:

gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto

Line 559 in c44fa1d

OidcAuthorizationCodeConfig oidc_authorization_code = 1;

These APIs are separate because in other extauth apis (e.g. ApiKey auth) we use the user-provided config and gloo snapshot to derive the server config that gets sent to the extauth service. In this case, the APIs are the same (for now).

Proposal is to add new API (arbitrary json override) to both APIs, propagate that to Gloo and then to the Extauth service, and then use that in the service to choose the endpoints.