Support external OIDC Identity Providers

[alukach]

Description

Implement support for platform-registered OIDC Identity Providers in the data proxy as described in ADR-004.

Platform IdPs are pre-configured by Source Cooperative operators. Each defines an issuer URL, well-known claims, and audience hint. Roles reference these IdPs in their identity constraints.

Key Requirements

• Platform IdP registry with initial providers:
  • Source Cooperative Auth (auth.source.coop) — interactive users, CLI login
  • GitHub Actions (https://token.actions.githubusercontent.com) — CI/CD pipelines
  • GitLab CI/CD (https://gitlab.com)
  • Azure DevOps (https://vstoken.dev.azure.com/<org_id>)
  • HCP Terraform (https://app.terraform.io)
  • Vercel (https://oidc.vercel.com/<team_slug>)
• Each IdP defines: id, issuer_url, display_name, well_known_claims[], audience_hint
• JWKS discovery and caching per IdP (1hr TTL, stale-while-revalidate up to 24hr, 256KB max response, 3s timeout)
• JWT verification: signature (via JWKS), exp, nbf (60s clock skew tolerance), aud
• Extensible design: operators can add new IdPs without code changes

Future Extension

Account-registered IdPs (allowing accounts to register corporate identity systems like Okta, Entra ID, Keycloak) is deferred but the design should not preclude it.

References

• ADR-004: Platform IdPs — IdP tiers, platform IdP table, JWKS caching