coordination #89020

Updated by okurz 9 months ago

## Motivation
Again the identity provider we use from openSUSE is making some problems, e.g. see #88751 , so we thought about investing in alternatives that we can use in parallel to the existing way. We already have support for other identity provides but not at the same time

## Acceptance criteria
* **AC1:** offers to login over both the existing provider as well as another one, e.g. using github

## Observation
In the openQA configuration one can currently choose between *FakeAuth*, *OpenID* and *OAuth2*. Setting `auth/method` in the config file changes that globally. Only one method can be used at the same time. Changing it would require all logins to go through the new method. And *Login* always immediately redirects to the configured provider.

## Suggestions
- Add a *provider* column to the *Users* table
- Make *username* unique across providers (so the new unique constraint would be `username,provider` and *not* just `username`)
- Allow configuring multiple auth methods at the same time
- Allow configuring multiple providers per auth method at the same time at least for *OAuth2* (to be able to support e.g. ipsilon and GitHub at the same time)
- Ensure existing data defaults to the active provider upon migration **or** continues to work as-is with manual intervention required
- Provide UX in the web UI e.g. expose buttons for providers to choose from
- Make it clear in the UI which authentication provider is used