RBAC: group type subject for oauth provider (integration with GitLab)

[eanikindfi]

Issue submitter TODO list

• I've searched for an already existing issues here
• I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

Implement group type subject for oauth provider to enchase security and provide more stable production solution.

Describe the feature you're interested in

According to official documentation oauth provider has only 2 types of subjects: user and role.
It would be great to add group type.

Our current configuration with user type subjects through helm-chart:

yamlApplicationConfig:
  auth:
    type: OAUTH2
    oauth2:
      client:
        gitlab:
          clientId: my_id
          clientSecret: my_secret
          client-name: GitLab
          client-authentication-method: client_secret_post
          authorization-grant-type: authorization_code
          authorization-uri: https://my-gitlab.com/oauth/authorize
          issuer-uri: https://my-gitlab.com
          jwk-set-uri: https://my-gitlab.com/oauth/discovery/keys
          user-name-attribute: name
          provider: oauth
          redirect-uri: https://my-kafka.net/login/oauth2/code/gitlab
          scope: openid
          token-uri: https://my-gitlab.com/oauth/token
          custom-params:
            type: oauth
            roles-field: groups
  rbac:
    roles:
      - name: "admins"
        clusters:
          - my-kafka
        subjects:
          - provider: oauth
            type: user
            value: "Paul Atreides"
          - provider: oauth
            type: user
            value: "Viktor Krum"
          - provider: oauth
            type: user
            value: "Razputin Aquato"
        permissions:
        - resource: applicationconfig
          actions: all
        - resource: clusterconfig
          actions: all
        - resource: topic
          value: ".*"
          actions: all
        - resource: consumer
          value: ".*"
          actions: all
        - resource: schema
          value: ".*"
          actions: all
        - resource: connect
          value: ".*"
          actions: all
        - resource: ksql
          actions: all
        - resource: acl
          actions: [ view ]

It works fine but in theory you can face a security violation where GitLab user with the same name will get an access to Kafbat.

Describe alternatives you've considered

Create a specific GitLab provider with this type of subject and maybe some other types.

Version you're running

v1.1.0 (4cf17a0)

Additional context

helm-chart version = 1.5.0

[github-actions]

Hi eanikindfi! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[Haarolean]

where GitLab user with the same name

To prevent this, replace the user-name-attribute value with the field matching the email, not the username.
Docs: https://ui.docs.kafbat.io/configuration/authentication/oauth2

It would be great to add group type.

There's no semantic difference between roles and groups in this case, set the field to whatever you need and we'll extract it as long as it's in a supported format.

Let me know if you have any further questions.