Add OIDC authentication flows tests for federation

[xek]

This adds support for testing all OIDC authentication methods:

• v3oidcpassword (Resource Owner Password Credentials)
• v3oidcclientcredentials (Client Credentials)
• v3oidcaccesstoken (Access Token Reuse)
• v3oidcauthcode (Authorization Code)

New features:

• Templates for each OIDC auth method configuration
• Helper script to obtain tokens from Keycloak
• Keycloak client setup for Service Accounts and Device Auth
• Comprehensive test suite with assertions
• Updated README with full documentation

Note: v3oidcdeviceauthz requires Python 3.10+ and is not
available in OSP18 which ships with Python 3.9.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/6784616a5ea14ec68f0010c05d3dfdeb

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 36m 26s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 23m 55s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 37m 52s
❌ cifmw-crc-podified-edpm-baremetal-minor-update FAILURE in 2h 22m 47s
✔️ cifmw-pod-zuul-files SUCCESS in 4m 48s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 59s
❌ cifmw-pod-pre-commit FAILURE in 8m 09s
✔️ cifmw-molecule-federation SUCCESS in 1m 42s

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://softwarefactory-project.io/zuul/t/rdoproject.org/buildset/888f51a660624496a38dbb9ea0ba7425

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 35m 57s
✔️ podified-multinode-edpm-deployment-crc SUCCESS in 1h 24m 17s
✔️ cifmw-crc-podified-edpm-baremetal SUCCESS in 1h 43m 29s
✔️ cifmw-crc-podified-edpm-baremetal-minor-update SUCCESS in 2h 17m 29s
✔️ cifmw-pod-zuul-files SUCCESS in 23m 51s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 24s
❌ cifmw-pod-pre-commit FAILURE in 8m 03s
✔️ cifmw-molecule-federation SUCCESS in 1m 43s

[jagee]

Everything looks good to me, just wanted see if you though we should remove one duplicate auth test from the older code.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign michburk for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[michburk]

Hi @xek , thanks for the patch and thanks for including test results, but please don't directly share downstream links (e.g. links to our private gitlab instance or downstream zuul) here on github. It's technically a leak, no matter how small and insignificant. Instead, include a link to a jira ticket here on github, and on that ticket, include the downstream link in a comment marked as 'Restricted to Red Hat Employee'.

Thanks!