Deprecate Batman for Grafana in favor of OAuth2

[byewokko]

Is your feature request related to a problem? Please describe.

• Batman synchronization is still rather clumsy and buggy.
• Current versions of Grafana have native support for OAuth authorization flow (see https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/). No extra implementation is needed in Seacat Auth, only configuration.

Grafana docker container config example:

 grafana:
  # (...)
  environment:
    # (...)
    GF_AUTH_GENERIC_OAUTH_ENABLED: true
    GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE: true
    GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN: true
    GF_AUTH_GENERIC_OAUTH_USE_PKCE: false
    GF_AUTH_GENERIC_OAUTH_USE_REFRESH_TOKEN: false
    GF_AUTH_GENERIC_OAUTH_NAME: Seacat Auth
    GF_AUTH_GENERIC_OAUTH_CLIENT_ID: qwe123asd456
    GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: abc123def546
    GF_AUTH_GENERIC_OAUTH_SCOPES: openid email profile
    GF_AUTH_GENERIC_OAUTH_AUTH_URL: "${PUBLIC_URL}/api/openidconnect/authorize"
    GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "${PUBLIC_URL}/api/openidconnect/token"
    GF_AUTH_GENERIC_OAUTH_API_URL: "${PUBLIC_URL}/api/openidconnect/userinfo"
    GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT: true
    GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(resources."*"[*], 'authz:superuser') && 'Admin' || contains(resources."*"[*], 'grafana:edit') && 'Editor' || contains(resources."*"[*], 'grafana:access') && 'Viewer'

Caveats

• Authorization endpoint is accessed by the user-agent, while the Token endpoint and the Userinfo endpoint are accessed directly by Grafana backend app. This back-channel communication is not always possible - PUBLIC_URL may require a special configuration to be reachable from within a Docker container running on the same server.

To do

• [ ] Update the documentation
• [ ] Update the nginx config examples
• [ ] Add deprecation warning to Grafana Batman module