create dataone OIDC clients for web auth

[mbjones]

To authenticate through keycloak, we will want web applications to authenticate against OIDC client endpoints. We are likely to need at least two such client endpoints, one for general server-side web applications, and one for SPA client-side web applications. We should create both, starting with the simpler server-side client:

• dataone: an OIDC client for web apps with server-side clients
• dataone-spa: an OIDC client for single page apps that can't protect the client app. We may want more than one of these, likely one for each metacatUI deployment that we support. Alternatively, we could use one of these, but reconfigure it to support multiple redirect URLs to different deployment endpoints

[mbjones]

I created an example confidential, server-side client (ogdc) to serve an example flask application. Basic authentication and property management are supported.

[mbjones]

Initial sample flask app is here on a branch: https://github.com/DataONEorg/dataone-keycloak/tree/f13-flask-app

However, I think it should get moved out into its own repository, as it is really just example code and will not ship with our keycloak helm chart.

[mbjones]

That sample uses the Flask-OIDC library, and, while working, it has some problems. The main problem is that I seem to have little or not control of the client endpoints for OIDC (such as the redirect URI), and so the app is a bit clunky now.

Others have recommended some other client libs for OIDC as well, including:

• Authlib
• python-keycloak
  • python-keycloak API docs
• FastAPI OIDC
  • Tutorial