Reroute SSO login to AWS

[caspervdw]

We need to replace all local login stuff in the SSO with a call to AWS. There is one exception: the AWS callback endpoint (#96) should still look in the local database. Also, the AD login should remain working as is.

The call to AWS should use the "USER_PASSWORD_AUTH" login flow. This should be initiated via the "AdminInitiateAuth" endpoint (you also have "InitiateAuth", but that is meant for frontend calls such as from a native javascript app)

See: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html

Probably best to use boto3 for handling the AWS-specific request signing. We also need a developer account to enable this. SSO should be registered as a separate client in aws.

[lexvand]

@reinout Kan dit issue afgesloten worden?

[reinout]

ja, kan dicht.