Add keycloak SSO

[paulbauriegel]

Add keycloak SSO

Based on discussion in #5691

Points that need some feedback:

• A lot of configurations are set via env variables now. Not sure if that's ideal, error messages if something is not set correctly can be rather cryptic with social auth lib
• I added the Keycloak logo to the Oauth button id the provider is keycloak, generally the same could also be done for the HF logo not having a separate button
• Is the documentation to set-up a keycloak server sufficient?

Type of change

• Improvement (change adding some improvement to an existing functionality)
• Documentation update

How Has This Been Tested
Local build & Keycloak installation as described in the documentation.

Checklist

• I added relevant documentation
• I followed the style guidelines of this project
• I did a self-review of my code
• I made corresponding changes to the documentation
• I confirm My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• TODO I have added relevant notes to the CHANGELOG.md file (See https://keepachangelog.com/)

[davidberenstein1957]

Related #5691

[paulbauriegel]

I tested it a bit with a local set-up but it does not seem to work. I need some time to debug it, to understand why it is not working.

[frascuchon]

I tested it a bit with a local set-up but it does not seem to work. I need some time to debug it, to understand why it is not working.

I've pushed some missing tests to see the expected values https://github.com/argilla-io/argilla/blob/bf2a0f64a991731602cd521188dd95bb3896d7ea/argilla-server/tests/unit/api/handlers/v1/test_oauth2.py

[bulatovv]

Just wanted to check if you need any help with this? Really looking forward to this feature

[paulbauriegel]

@bulatovv @frascuchon I just started looking at it again after being on vacation for a while. What I see is the following behaviour:

• Existing users even if their role is changed have no changed role in the Argilla UI

• New users that are already added with new roles have a different problems and cannot login the first time getting a HTTP_422_UNPROCESSABLE_ENTITY the first time and with the second login time are just a annotator with basic rights

I'm looking at those things right now. Generally speaking the simple authentification with Keycloak works, what does not work are the roles & workspace assignments

[paulbauriegel]

@frascuchon I updated the code for the cases that where failing for me:

1. Multiple conflicting roles set in keycloak
2. Creating users w. roles for which the workspaces do not exist
3. Changing the argilla role or workspace after the creation of the user

could you check specifically in the oauth2.py if the changes against the DB are correctly implemented.

[frascuchon]

Thanks, @paulbauriegel, and sorry for the late response. I need to review your changes in deep since some of them could comprise other OAuth flows. Maybe the safer way would be a specific step syncing SSO roles and workspaces with the argilla DB.