Member SSO Provider (OAuth2/OIDC)

[krestenlaust]

This PR adds

• Login form to authenticate members using their email (One-Time Password member login)
• Endpoints and logic needed for external OpenID login (External SSO provider)

How does it authenticate a member?
Whenever a Member logs in using the new login form (/ffo/login), a companion non-staff user is added, and a reference to the user is added to the member.

This user is then authenticated with requests, the same way django normally handles user logins.

How does it look on an external service?
Example buttons:

To-do:

• Add proper SSO button template for easy copying
• Handle duplicate User usernames, when creating companion user
• Create OTP sign-in (right now it just accepts without proof of email)
• Rename to 'ffo'
• Find a way to replace dependency of custom fork: https://github.com/krestenlaust/django-oauth-toolkit/tree/2.4.0-custom-login-url
• Add OpenAPI definiton
• Update fixtures
• Clean-up / tidy-up code
• Add '.well-known' redirect at '/' to '/o'
• Collapse migrations
• Send actual email with OTP
• Add roles-claim to signal whether a user is 'staff' or not
• Add groups-claim and embed all user groups
• Document creation of oidc.key, make sure you can start a dev env without it
• Clean-up / tidy-up code again (in the end)
• Add revoke-ability on user profile in stregsystem
• Add tests to verify that admin logins still work independently

Related:

• Reported feature-need upstream: Custom login url to override Django-Admin login_url django-oauth/django-oauth-toolkit#1663 (currently solved in fork) Solved using custom login view

[krestenlaust]

Current 'ffo/login', stage 1

stage 2

[krestenlaust]

Remember to add these checks to login

    if not member.signup_due_paid:
        return False

    if not member.signup_approved():
        return False

[krestenlaust]

Extracted all login details into separate PR to make it more clean. This one will have to wait for that to be merged into main: #637