Authentication / Authorization Configuration via Runtime Variables

[HknLof]

Allow authentication mechanisms to be provided at runtime.

As if now, we have three build time variables that are used for setting up the different authentication methods, which means, we would need different images for different auth methods. It is possible to set the auth method at runtime, so we should create mapper variables to set the auth method at runtime inside the AuthMthodController

The build time variables are: quarkus.http.auth.basic quarkus.oidc.enabled quarkus.security.users.embedded.enabled

[ChrisRousey]

quarkus.oidc.enabled:

• for enabling oidc extension. this can always be activated, it doesn't change the config unless we actually have an oidc provider set up. (it will start a keycloak server in dev mode though, but oidc can just be deactivated in dev mode)
• mapped to datacater.authorization.oidc

quarkus.http.auth.basic:

• Enables basic auth (header auth Authorization: Basic <credentials>) We only have header auth activated for one endpoint, AuthorizationEndpoint. So if this endpoint is deactivated, basic auth is also deactivated. So we will always have basic auth activated, and control it through our endpoint
• mapped to datacater.authorization.basic

quarkus.security.users.embedded.enabled:

• enables using realm security file. The users defined in this file or in the variables are also only considered when we are using basic auth, since oidc uses the providers endpoint. This means, these users are only considered when our authorization-endpoint is used
• mapped to datacater.authorization.basic

[ChrisRousey]

If multiple auth methods are activated, quarkus chooses the method based on priority, basic being the highest. This is addressed by adding a custom HttpAuthenticationMechanism, which chooses between oidc and basic based on what is set in datacater.authorization.oidc