Update to upstream version '0.6.1'
with Debian dir 9740be29e86f6ed59eebe7582889577cb507edcd

When a user session has been terminated without using the logout view
(for instance a user can logout from all its authenticated sessions
using the Keycloak account UI), the expired OIDC profile is still
in webapp cache which causes errors and prevent new user logins.

So ensure to remove expired profile from cache when detecting Keycloak
session is no longer active in django authentication backend.

Related to T3496

Update to upstream version '0.6.0'
with Debian dir ff47451b163e85f97e410a489917bdb72e9564ff

Migrate auth command group from swh-web-client package to the
swh-auth package.

Related to T3385

Update to upstream version '0.5.4'
with Debian dir cbe48f053487b764e821b58c42f99771c4bf5fbc

Enable to check package documentation can be built without producing
sphinx warnings.

The sphinx environment is designed to be used in continuous integration
in order to prevent breaking documentation build when committing changes.

The sphinx-dev environment is designed to be used inside a full swh
development environment.

Related to T3258

Sphinx complains about an unexpected indentation if a constructor
docstring is missing.

Update to upstream version '0.5.3'
with Debian dir 8f38f1cf481f6704d46766c90fb3a171713618a9

Keycloak also allow to define user roles at realm level to define
permissions at a global level not tight to a client.

Include these extra roles in the user permissions set from the
decoded token content.

Related to T3213

Update to upstream version '0.5.2'
with Debian dir 69e67746b190093b5e4b8204de533b48b0806e20

The first time a user sends an expired token previously used to
perform authenticated Web API calls, Keycloak will return the
following error message: "Offline session not active".

So handle that error message too for indicating a token has expired.

Related to T3121

Update to upstream version '0.5.1'
with Debian dir f0529536b7e4e90479368a95b6c4b3dcbd115f26

This replaces the Keycloak error message by a more comprehensible one
for end users.

Unfortunately, there is no way to get the bearer token validity period
apart using Keycloak Admin REST API but we clearly do not want to query
it in a django authentication backend.

Related to T3121

Related to T2945

Related to T2945

Update to upstream version '0.5.0'
with Debian dir 2c3e79c15a522ca808dd16bfef4fe20e11db65b8

That middleware detects when a user previously logged in using
the OpenID Connect authentication backend got his session expired.

In that case it will perform a redirection to a django view whose
name must be set in the SWH_AUTH_SESSION_EXPIRED_REDIRECT_VIEW
django setting (typically a logout view).

Related to T3150

Add a generic Django REST Framework authentication backend enabling to
authenticate a user using Keycloak and OpenID Connect bearer tokens.

The backend can be easily plugged into a DRF application by:

  * adding "swh.auth.django.backends.OIDCBearerTokenAuthentication"
    to the REST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]
    django setting.

  * configuring Keycloak URL, realm and client by adding
    SWH_AUTH_SERVER_URL, SWH_AUTH_REALM_NAME and SWH_AUTH_CLIENT_ID
    in django settings

Users will then be able to perform authenticated Web API calls by
sending their refresh token in HTTP Authorization headers.

Related to T3150

Add a generic Django authentication backend and related login / logout
views enabling to authenticate a user using Keycloak and the OpenID
Connect authorization code flow with PKCE ("Proof Key for Code Exchange").

The backend can be easily plugged into any django application by:

 - adding "swh.auth.django.backends.OIDCAuthorizationCodePKCEBackend"
   to the AUTHENTICATION_BACKENDS django setting

 - configuring Keycloak by adding SWH_AUTH_SERVER_URL, SWH_AUTH_REALM_NAME
   and SWH_AUTH_CLIENT_ID in django settings

 - adding swh.auth.django.views.urlpatterns to the django application URLs

 - using the dedicated django views: "oidc-login" and "oidc-logout"

Related to T3150