Associate external provider to logged user

[fmigneault]

Using the authomatic login procedure with external identity providers (github, wso2, dkrz, ...), instead of creating a new internal user, connect the external user to an already logged in user.

This allows an internal user to login with any of is associated accounts (similar to most sites using 'connect with Google/Facebook/etc.'), and combine all user permissions of a "same person" under a common internal user identity (no duplication required across each sub-user for each external provider).

ExternalIdentity already resolves properly to the internal user when logging in with an external identity if the associated db external_identities.local_user_id points to a valid internal user. Only the method to set this field needs to be implemented.

TODO

• Will require a new API route POST /providers/{providerId}/add to launch the
  GET /providers/{providerId}/signin procedure. On valid external login, it should create the external identity and associate it to the current user.

• API HTTPNotAuthorized on calling the new route if not logged in (with internal user).
  [using default magpie view permission should do it]

• API HTTPNotAuthorized on external login failure.

• API HTTPCreated on successful external identity creation and association to local user.

• Ensure that previous operations still work. If login is done with either:
  POST /signin {"provider_name": "<providerID>"}
GET /providers/{providerId}/signin
  without being logged in (internal user)

• Will require a new UI button to associate the new external provider, ideas:

  • "Link Account" button under "Log Out" (none when "Log In") redirecting to a "select provider" page?
  • row of icons of each provider, calling directly to proper POST /providers/{providerId}/add?

• Require DELETE /providers/{providerId} to dissociate an account connection, removing the ExternalIdentity that was created for it (does not remove the User associated to it).

• Add a UI button for running the dissociate operation.

Extra

• Improve the mechanism to auto-create the user on external provider login. Currently, the username is auto-generated using the provided username (on the external provider), which can rapidly lead to conflicts locally. An input field should be made available for the local username to employ, regardless of the value used as external identity.

[tomLandry]

This is inline with this issue, to be delivered in PAVICS-hydro project, mostly for support of external identity providers. Ouranosinc/pavics-sdi#61

@huard for your information, WSO2 support is a brand new thing. A functionnality implemented for OGC Testbed. Much to say on this, but it can bridge with Canarie Access Federation (CAF). Remains to be seen if it can help for CC access.