Add OidcAuthenticationCustomizer service provider interface

[jhoward-lm]

This PR adds the capability to customize OIDC authentication with extended functionality if desired.

[jhoward-lm]

@nscuro Suggestions from DependencyTrack/hyades#1632 were implemented. Let me know if that looks a little closer to what you would expect, and if the onAuthenticationSuccess calls look correct. Thanks!

[nscuro]

Just a minor remark, otherwise looks good.

I guess the most important question is, does it help you in achieving what you want?

[nscuro]

Just to be safe, since updateOidcUser could still fail:

Suggested change

	customizer.onAuthenticationSuccess(profile, idToken, accessToken);
	return qm.updateOidcUser(user);
	user = qm.updateOidcUser(user);
	customizer.onAuthenticationSuccess(profile, idToken, accessToken);
	return user;

Same for other invocations. You want to make sure onAuthenticationSuccess is only called when you can be sure that the authentication succeeded.

[jhoward-lm]

Do you think onAuthenticationSuccess might benefit from accepting and/or returning an OidcUser? So this would become something like

return customizer.onAuthenticationSuccess(qm.updateOidcUser(user), profile, idToken, accessToken);

That way, implementers would have access to user.setTeams(), user.setPermissions(), etc. inside onAuthenticateSuccess, if you think that would be useful and if it seems like an acceptable design pattern

[jhoward-lm]

Just a minor remark, otherwise looks good.

Ok thanks, I'll implement that suggestion for all calls to onAuthenticateSuccess.

I guess the most important question is, does it help you in achieving what you want?

What I think is needed:

• Access token for GitLab API requests
• The following claims:
  • groups claim from /userinfo
  • groups_direct claim from /token
  • https://gitlab.org/claims/groups/owner claim from /userinfo
  • https://gitlab.org/claims/groups/maintainer claim from /userinfo
  • https://gitlab.org/claims/groups/developer claim from /userinfo
• Create DT teams such as <GitLab project name>-maintainer
• Assign a certain set of DT permissions (TBD) based on GitLab role
• Might need to configure portfolio access control, not sure yet

Do you think this is currently achievable with these changes? Should the OidcUser be passed in to onAuthenticateSuccess in addition to, or instead of, the merged profile?