[Prototype] Self Managed OIDC Authentication

[SangJunBak]

To try:

1. Follow the quickstart guide to get an authentication server (Ory) running in Docker https://www.ory.com/docs/hydra/self-hosted/quickstart
2. Once running in docker, run:

bin/environmentd \
-- --oidc-issuer="http://127.0.0.1:4444" \
--oidc-jwks-uri="http://127.0.0.1:4444/.well-known/jwks.json" \
--listeners-config-path='src/materialized/ci/listener_configs/oidc.json'

3. In the cloned repo, run the following commands to create a client and get the access token by following the authorization code flow

code_client=$(docker compose -f quickstart.yml exec hydra \
    hydra create client \
    --endpoint http://127.0.0.1:4445 \
    --grant-type authorization_code,refresh_token \
    --response-type code,id_token \
    --format json \
    --scope openid --scope offline --scope profile --scope email\
    --access-token-strategy jwt \
    --redirect-uri http://127.0.0.1:5555/callback)

code_client_id=$(echo $code_client | jq -r '.client_id')
code_client_secret=$(echo $code_client | jq -r '.client_secret')

docker compose -f quickstart.yml exec hydra \
    hydra perform authorization-code \
    --client-id $code_client_id \
    --client-secret $code_client_secret \
    --endpoint http://127.0.0.1:4444/ \
    --port 5555 \
    --scope openid --scope offline --scope profile --scope email

4. Run `PGPASSWORD="eyJ..." psql -h localhost -p 6875 -U [email protected] materialize

demo.mov

Motivation

Tips for reviewer

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

[aljoscha]

very preliminary comment: but I think with the number of authenticators growing, we should maybe put this behind an interface, maybe make Authenticator compatible with trait Objects, but at least we could move this big match statement to the authenticator crate.

[aljoscha]

not really a comment about your PR but the general state here 😅

[SangJunBak]

I agree here!

[aljoscha]

same comment as above, I'm hopeful we can factor this whole match statement out into authenticator crate or maybe put behind dyn objects

[SangJunBak]

I was thinking that too! Definitely some common traits between this and the frontegg authenticator.