Login and secret storage in Enarx CLI

[rvolosatovs]

The flow should be as follows:

1. CLI constructs an OpenID Client, performs discovery on issuer URL and constructs an auth URL with a redirect to localhost:$PORT
2. CLI prints the URL to stdout and listens on localhost:$PORT (meanwhile the user opens the URL on the same machine the CLI is running on and performs the login)
3. Once the request arrives on the socket after successful login, code parameter should be extracted from the URL and a request should be made to identity provider to exchange the code to an access token.
4. Token is stored to disk or in the OS keychain

Very rough, insecure example adapted from https://docs.rs/openidconnect/2.3.1/openidconnect/index.html#getting-started-authorization-code-grant-w-pkce:

    let provider_metadata =
        CoreProviderMetadata::discover(&IssuerUrl::new(oidc_issuer.into())?, http_client)?;

    let oidc_secret = oidc_secret.unwrap();

    let client = CoreClient::from_provider_metadata(
        provider_metadata.clone(),
        ClientId::new(<client_id>),
        Some(ClientSecret::new(<client_secret>)),
    )
    .set_redirect_uri(RedirectUrl::new("http://127.0.0.1:8081".to_string())?);

    let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();

    let (auth_url, _csrf_token, nonce) = client
        .authorize_url(
            CoreAuthenticationFlow::AuthorizationCode,
            CsrfToken::new_random,
            Nonce::new_random,
        )
        .add_scope(Scope::new("read".to_string()))
        .add_scope(Scope::new("write".to_string()))
        .url();

    println!("Browse to: {}", auth_url);

    let (stream, _) = TcpListener::bind("127.0.0.1:8081").await?.accept().await?;
    Http::new()
        .serve_connection(
            stream.compat(),
            service_fn(|req| async move {
                let provider_metadata = CoreProviderMetadata::discover(
                    &IssuerUrl::new("<issuer_url>".to_string()).unwrap(),
                    http_client,
                )
                .unwrap();

                let client = CoreClient::from_provider_metadata(
                    provider_metadata,
                    ClientId::new(<client_id>),
                    Some(ClientSecret::new(<client_secret>)),
                )
                .set_redirect_uri(RedirectUrl::new("http://127.0.0.1:8081".to_string()).unwrap());

                let uri = req.uri();
                let query = uri.path_and_query().unwrap().query().unwrap();

                let params = query.split('&').collect::<Vec<&str>>();
                let code = params
                    .iter()
                    .find(|p| p.starts_with("code="))
                    .unwrap()
                    .trim_start_matches("code=");

                let token_response = client
                    .exchange_code(AuthorizationCode::new(code.to_string()))
                    .request(http_client)
                    .unwrap();

                let access_token = token_response.access_token();

                println!("Token: {}", access_token.secret());
                Ok::<_, Infallible>(Response::new(Body::from("received token")))
            }),
        )
        .await
        .context("failed to handle request")
        .unwrap();

Refs #191
Refs #118
enarx/enarx#1953

Some of the session-related code from https://github.com/profianinc/benefice/tree/main/crates/auth could be extracted and adapted to OpenID Conect client login flow.

[rvolosatovs]

Turned out we can use device flow for this, see https://github.com/rvolosatovs/oidc-login for a working example