investigate creation of openid rodsusers on demand

[trel]

Feature

Just an idea... needs more consideration...

new boolean configuration setting

• http_server/authentication/openid_connect/create_new_rodsusers (default: false)

if this setting is true:

• if openid authentication comes back good:
  • catch CAT_INVALID_USER from the iRODS server
  • create that rodsuser with no password
  • retry the original proxied operation

note: iinit rejects an empty password, but we should confirm that the protocol/server itself doesn't allow authentication via native with a missing/non-set/empty password.

[MartinFlores751]

My question, ignoring the password part, is what would we use to determine the new username? OpenID, in its default claims, MAY contain preferred_username, and OAuth MAY provide a username in its token introspection endpoint.

Of possible interest is also the lack of a username in the JWT profile for OAuth 2.0 access tokens (for offline token validation): https://www.rfc-editor.org/rfc/rfc9068

More to think about, would this an extension of the user mapping plugin? (e.g. user_mapper_generate_username_from_access_or_id_token(...))