AAP-45580 Add callback url to generic OIDC authenticator (#771)

## Description
<!-- Mandatory: Provide a clear, concise description of the changes and
their purpose -->
- What is being changed?
Adding CALLBACK_URL to generic OIDC authenticator plug-in.

- Why is this change needed?
To provide the callback url via the UI.
 
- How does this change address the issue?
The UI automatically presents the callback URL when present.

## Type of Change
<!-- Mandatory: Check one or more boxes that apply -->
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Documentation update
- [x] Test update
- [ ] Refactoring (no functional changes)
- [ ] Development environment change
- [ ] Configuration change

## Self-Review Checklist
<!-- These items help ensure quality - they complement our automated CI
checks -->
- [x] I have performed a self-review of my code
- [x] I have added relevant comments to complex code sections
- [ ] I have updated documentation where needed
- [x] I have considered the security impact of these changes
- [x] I have considered performance implications
- [x] I have thought about error handling and edge cases
- [x] I have tested the changes in my local environment

### Required Actions
<!-- Check if changes require work in other areas -->
<!-- Remove section if no external actions needed -->
- [x] Requires documentation updates
  <!-- API docs, feature docs, deployment guides -->
The Configuring authentication in the Ansible Automation Platform
section on configuring generic OIDC authentication requires updating
similarly to that of configuring SAML authentication. The update needed
is the inclusion of a suitably worded version of the following from
SAML....

> The SAML Assertion Consumer Service (ACS) URL field registers the
service as a service provider (SP) with each identity provider (IdP) you
have configured. Leave this field blank. After you save this
authentication method, it is auto generated. This field must match the
Reply URL setting in your IdP.

Something like the following...

> The OIDC Callback URL field registers the service as a service
provider (SP) with each OIDC provider (IdP) you have configured. Leave
this field blank. After you save this authentication method, it is auto
generated. This field must match the Redirect Endpoint URL setting in
your IdP.

Author: jshimkus-rh

ansible_base/authentication/authenticator_plugins/oidc.py

@@ -9,7 +9,7 @@
 from social_core.backends.open_id_connect import OpenIdConnectAuth
 
 from ansible_base.authentication.authenticator_plugins.base import AbstractAuthenticatorPlugin, BaseAuthenticatorConfiguration
-from ansible_base.authentication.social_auth import SocialAuthMixin
+from ansible_base.authentication.social_auth import SocialAuthMixin, SocialAuthValidateCallbackMixin
 from ansible_base.lib.serializers.fields import BooleanField, CharField, ChoiceField, DictField, IntegerField, ListField, URLField
 from ansible_base.lib.utils.settings import get_setting
 
@@ -90,6 +90,15 @@ class OpenIdConnectConfiguration(BaseAuthenticatorConfiguration):
         ui_field_label=_("Authorization URL"),
     )
 
+    CALLBACK_URL = URLField(
+        help_text=_(
+            "Provide this URL as the callback URL for your application as part of your registration process. Refer to the documentation for more detail."
+        ),
+        required=False,
+        allow_null=True,
+        ui_field_label=_("OIDC Callback URL"),
+    )
+
     ID_KEY = CharField(
         help_text=_("The JSON key used to extract the user's ID from the ID token."),
         default="sub",
@@ -210,7 +219,7 @@ class OpenIdConnectConfiguration(BaseAuthenticatorConfiguration):
     )
 
 
-class AuthenticatorPlugin(SocialAuthMixin, OpenIdConnectAuth, AbstractAuthenticatorPlugin):
+class AuthenticatorPlugin(SocialAuthMixin, SocialAuthValidateCallbackMixin, OpenIdConnectAuth, AbstractAuthenticatorPlugin):
     configuration_class = OpenIdConnectConfiguration
     type = "open_id_connect"
     logger = logger

test_app/tests/authentication/authenticator_plugins/test_oidc.py

@@ -6,7 +6,7 @@
 
 from ansible_base.authentication.authenticator_plugins.oidc import AuthenticatorPlugin
 from ansible_base.authentication.session import SessionAuthentication
-from ansible_base.lib.utils.response import get_relative_url
+from ansible_base.lib.utils.response import get_fully_qualified_url, get_relative_url
 
 authenticated_test_page = "authenticator-list"
 
@@ -42,6 +42,27 @@ def test_oidc_auth_failed(authenticate, unauthenticated_api_client, oidc_authent
     assert response.status_code == 401
 
 
+def test_oidc_create_via_api_without_callback_url(admin_api_client, oidc_configuration):
+    del oidc_configuration['CALLBACK_URL']
+
+    authenticator_data = {
+        "name": "Test OIDC Authenticator",
+        "enabled": True,
+        "create_objects": True,
+        "remove_users": True,
+        "type": "ansible_base.authentication.authenticator_plugins.oidc",
+        "configuration": oidc_configuration,
+    }
+
+    url = get_relative_url("authenticator-list")
+    response = admin_api_client.post(url, data=authenticator_data, format="json", SERVER_NAME="dab.example.com")
+    assert response.status_code == 201, response.data
+
+    slug = response.data["slug"]
+    expected_path = get_fully_qualified_url('social:complete', kwargs={'backend': slug})
+    assert response.data["configuration"]["CALLBACK_URL"] == f"http://dab.example.com{expected_path}"
+
+
 @pytest.mark.django_db
 @pytest.mark.parametrize(
     "endpoint_url, expected_status_code, expected_error",

test_app/tests/conftest.py

@@ -305,10 +305,11 @@ def google_oauth2_authenticator(google_oauth2_configuration):
 def oidc_configuration():
     return {
         "OIDC_ENDPOINT": "https://localhost/api/gateway/callback/oidc_test/",
-        "OIDC_VERIFY_SSL": True,
+        "VERIFY_SSL": True,
         "KEY": "12345",
         "SECRET": "abcdefg12345",
         "AUTHORIZATION_URL": "https://oidc.example.com/authorize/",
+        "CALLBACK_URL": "https://localhost/api/social/complete/ansible_base-authenticator_plugins-oidc__test-oidc-authenticator/",
     }