feat(sso): Just-In-Time User & Group Provisioning on SSO Login (oidc)

[jjoyce0510]

We're really excited about this one! This PR is a part of an initiative to improve the User & Group onboarding experience inside of DataHub.

Status
ready

Changes
This PR introduces just-in-time provisioning of users and groups in DataHub. This means that users and optionally groups (if they can be extracted) are created for a user at login time if they do not already exist. Note that in the future we'd like support merging of existing information with new information provided by an IdP at login, but that will not appear in this iteration.

Going forward, this behavior will be the default for deployments with OIDC enabled. However, this behavior can be disabled altogether (for example if you are batch ingesting your users). For information on how to customize this behavior for your deployment, see the doc configure-oidc-react.md doc.

In addition to adding provisioning, I've also refactored the SSO related code significantly to set us up for a future where multiple SSO protocols are supported: OIDC, SAML 2.0 & beyond. This includes the addition of the following components in the datahub frontend server:

• SsoManager: Responsible for providing information about the currently active SSO configurations.
• SsoController: Responsible for handling the indirect identity provider callback to DataHub, including routing to protocol-specific handlers like the new OidcCallbackLogic class.
• SsoProvider: A thin wrapper around the Pac4j Client object as well as a DataHub-specific set of SSO configurations (e.g. OidcConfigs).

Manually validated all configurations against a deployment of Okta.

Checklist

• The PR conforms to DataHub's Contributing Guideline (particularly Commit Message Format)
• Links to related issues (if applicable)
• Tests for the changes have been added/updated (if applicable)
• Docs related to the changes have been added/updated (if applicable)

[shirshanka]

LGTM!