Wrap discovery and callback calls

[gl-johnson]

Desired Outcome

Implement the wrapper methods introduced in #2919 and the optional ca-cert config in #2920 to allow custom certs to be provided in the OIDC authenticator config.

Implemented Changes

• Added wrapper methods around:
  • OAuth discovery + JWKS retrieval
  • Identity resolution callback
  • OIDC configuration discovery
• Updated keycloak OIDC environment to use ca-cert variable instead of container truststore (includes integration tests)

Connected Issue/Story

CNJR-2476

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: CNJR-2309
• This PR does not require updating any documentation

Behavior

• This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[gl-johnson]

@john-odonnell This is still a WIP, but I'm curious if you have thoughts about this: turns out that .jwks makes a separate call to the provider's JWKS uri so the cert needs to be available for that as well.

As a workaround I added an optional jwks flag to the custom Client.discover which updates the lambda to include the .jwks call accordingly. Feels a bit hacky but better than the alternative of adding yet another wrapper imo.

[john-odonnell]

I was going to say:

I think the only downside to this is that we wouldn't be able to take advantage of previously cached discovery responses.

but as it turns out, the DiscoverIdentityProvider class was never using the discovery cache anyways. Maybe this is a future low-hanging advancement.

[john-odonnell]

Otherwise, you're right - feels hacky, but I think this works for now. Makes me think that ditching the underlying OIDC client gem might make all this a bit cleaner, though.

[codeclimate]

Authentication::AuthnOidc::V2::Client#self.discover calls 'discovery_configuration.discover!(provider_uri)' 2 times

[codeclimate]

Authentication::AuthnOidc::V2::Client#self.discover is controlled by argument 'jwks'

[john-odonnell]

Suggested change

	- Support an optional`ca-cert` variable for providing custom certs/chains for to verify
	- Support an optional`ca-cert` variable for providing custom certs/chains to verify

[john-odonnell]

I was going to say:

I think the only downside to this is that we wouldn't be able to take advantage of previously cached discovery responses.

but as it turns out, the DiscoverIdentityProvider class was never using the discovery cache anyways. Maybe this is a future low-hanging advancement.

[john-odonnell]

Otherwise, you're right - feels hacky, but I think this works for now. Makes me think that ditching the underlying OIDC client gem might make all this a bit cleaner, though.

[codeclimate]

Code Climate has analyzed commit 932bb49 and detected 5 issues on this pull request.

Here's the issue category breakdown:

Category	Count
Style	1
Complexity	4

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 88.5% (0.0% change).

View more on Code Climate.

[john-odonnell]

LGTM 👍