External login webhook

[byewokko]

closes #282

When an unknown user logs in via external identity provider, a webhook is triggered. The target service can register the user and send back their credential ID. If the response contains a valid credential_id, the login proceeds as successful.

Registration webhook

• To enable the webhook, configure registration_webhook_uri in [seacatauth:external_login].
• The webhook JSON payload contains
  • provider_type - the type of the identity provider (e.g. google or appleid),
  • authorization_response - response query parameters without the authorization code,
  • user_info - OpenID UserInfo-like claims about the logged in user (mandatory sub, optional email, preferred_username etc.). The actual claims differ from provider to provider and also depend on your client's scope and configuration.
• A successful response must contain a valid credential_id of the created credentials. Otherwise, the response is considered error and the login results in failure.

Example

Config:

[seacatauth:external_login]
registration_webhook_uri=http://localhost:8089/external_registration

Request (from Seacat Auth):

POST http://localhost:8089/external_registration
{
  "provider_type": "google",
  "authorization_response": {
    "scope": "email profile openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
    "authuser": "0",
    "prompt": "consent"
  },
  "user_info": {
    "iss": "accounts.google.com",
    "sub": "01234567890123456789",
    "email": "abcdefgh@gmail.com",
    "email_verified": true
  }
}

Response (from the webhook client):

{"credential_id": "mongodb:custom:abcd123456789"}