Support for offline tokens

[JAORMX]

Summary

This adds new sub-commands to minder auth which enable the usage and installation
of offline tokens. These tokens enable you to create long-lived credentials which are handy
for CI and automation cases.

Co-Authored-By: Eleftheria Stein-Kousathana eleftheria@stacklok.com

Change Type

Mark the type of change your PR introduces:

• Bug fix (resolves an issue without affecting existing features)
• Feature (adds new functionality without breaking changes)
• Breaking change (may impact existing functionalities or require documentation updates)
• Documentation (updates or additions to documentation)
• Refactoring or test improvements (no bug fixes or new functionality)

Testing

Outline how the changes were tested, including steps to reproduce and any relevant configurations.
Attach screenshots if helpful.

Review Checklist:

• Reviewed my own code for quality and clarity.
• Added comments to complex or tricky code sections.
• Updated any affected documentation.
• Included tests that validate the fix or feature.
• Checked that related changes are merged.

[coveralls]

coverage: 39.351% (-0.2%) from 39.542%
when pulling 80dcfea on offline-tokens
into 5fd0f74 on main.

[rdimitrov]

Added a few comments mostly around keeping the way we read/set flags consistent with the rest of the CLI commands.

[eleftherias]

IMO if we're going to expose offline tokens to external users we need to show them how to revoke the tokens.
In theory it's possible now through the keycloak account management, but we don't direct users there.

[eleftherias]

I'm wondering if this should say "to the minder CLI", since the tokens are scoped to the CLI client. In theory tokens generated by different clients can have different characteristics, although in our current implementation they don't.

[JAORMX]

IMO if we're going to expose offline tokens to external users we need to show them how to revoke the tokens. In theory it's possible now through the keycloak account management, but we don't direct users there.

I agree. And Keycloak has a token revocation endpoint we could use, want me to include that as part of this PR? Was thinking of adding a minder auth offline-token revoke command.

[eleftherias]

IMO if we're going to expose offline tokens to external users we need to show them how to revoke the tokens. In theory it's possible now through the keycloak account management, but we don't direct users there.

I agree. And Keycloak has a token revocation endpoint we could use, want me to include that as part of this PR? Was thinking of adding a minder auth offline-token revoke command.

Yeah I think it should be part of this PR so we don't accidentally release a CLI version without the revocation option

[JAORMX]

@eleftherias sounds good! I'll work on that tomorrow.

[JAORMX]

Just rebased