feat: Add access token support in the OIDC

[shawnhankim]

Proposed changes

• The current OIDC only support ID token for user authentication and does not support access token for the API authorization yet. The feature of access token has been recently added in the NGINX Plus OIDC repo, and this PR is to synchronize the feature into NGINX Ingress Controller.
• This change is to add $access_token support for authorizing protected resources in the OpenID Connect (OIDC).
• This PR is also to resolve the issue OIDC: option to pass access token as authorization header to upstream #2635 to enable OIDC option (accessTokenEnable) to pass $access_token as authorization header to upstream.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

[shawnhankim]

@brianehlert : This PR is one of OIDC enhancements which are discussed in the Slack channel.
@shaun-nx, @brianehlert : I would appreciate it if you could review this PR. Please let me know if I miss anything.

[brianehlert]

@shawnhankim
This appears to support passing the access token to the upstream / backend. Is that correct?
When this project takes updates from the OIDC repository, we try to take all the changes and therefore maintain the OIDC reference implementation as a source of truth, and not that this is some random fork. Does this PR include all enhancements? (Whether exposed or not)

[shawnhankim]

@brianehlert

This appears to support passing the access token to the upstream / backend. Is that correct?

• Yes, it is correct.
• So, we can answer to the question of ID token (for user authentication) / access token (for API/protected-resource authorization) such as this kind of article based on this additional feature of access token as we already have the session_jwt which is the id_token.

[shawnhankim]

@brianehlert

When this project takes updates from the OIDC repository, we try to take all the changes and therefore maintain the OIDC reference implementation as a source of truth, and not that this is some random fork. Does this PR include all enhancements? (Whether exposed or not)

• This PR is to take all the changes from the latest version of OIDC reference implementation which is the source of truth.
• The rest of enhancements are being reviewed by NGINX Plus Team. Those PRs are going to be separately synchronized here once they are merged in the source repo of truth based on N+ team's schedule.

Please let me know if I miss anything about your question.

[lucacome]

@shawnhankim can you rebase the PR with main and run make update-crds?

[shawnhankim]

[shawnhankim]

@shawnhankim can you rebase the PR with main and run make update-crds?

Thanks @lucacome for this feedback and letting me know. Addressed it.

[lucacome]

Thanks @shawnhankim !

[ciarams87]

LGTM, thanks so much @shawnhankim!

[codecov]

Codecov Report

Merging #3474 (e6af55d) into main (2b40efe) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##             main    #3474   +/-   ##
=======================================
  Coverage   52.23%   52.23%           
=======================================
  Files          59       59           
  Lines       16877    16878    +1     
=======================================
+ Hits         8816     8817    +1     
  Misses       7766     7766           
  Partials      295      295           

Impacted Files	Coverage Δ
internal/configs/version2/http.go	0.00% <ø> (ø)
internal/configs/virtualserver.go	95.08% <100.00%> (+<0.01%)	⬆️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more