Enable user filtering proxy for hpad

[datadavev]

hpad uses github or orcid accounts for create / write access, but the underlying codimd service does not support a whitelist for users. This can be implemented using keycloak as an authentication proxy, and directing codimd to use keycloak instead of github.

The steps seem to be:

• Add GitHub as an identity provider, add the codimd github clientid and secret to keycloak (or register as a new oauth app). Probably using the "First Broker Login" flow
• Add a condition to check if a username is in a predefined list
• Configure hpad to use OIDC pointing to keycloak

[mbjones]

The HedgeDoc deploy documentation says it supports OAuth2 here: https://docs.hedgedoc.org/configuration/#oauth2-login. The following variables support creating a whitelist of allowed accounts:

• CMD_OAUTH2_SCOPE: Scope to request for OIDC (OpenID Connect) providers.
• CMD_OAUTH2_ROLES_CLAIM: ID token claim, which is supposed to provide an array of strings of roles
• CMD_OAUTH2_ACCESS_ROLE: The role which should be included in the ID token roles claim to grant access

@datadavev Keycloak supports Github as an Identify provider, but is there a reason we can't just use ORCID as the identity provider as we are for other services?

[datadavev]

Sure, ORCID is already supported for hpad login. There's no mapping of accounts between orcid and github in hpad though, so if we disable github auth then it's hard to locate the pad you author / edit.

[mbjones]

There are only a handful (20ish?) people that legit created content on the site. Can we manually change ownership from a github identitiy to an orcid identity in the database? If so, I can probably generate the mapping between the accounts pretty easily.