auth/backends: Simplify and improve OIDC authentication
While working on #2267 (closed), I noticed a couple of improvements could be added to the OIDC auth backend implementation:
-
there is no need to query the
userinfoendpoint of the OIDC server when authenticating as those information can also be found in the decoded access token -
use a more reliable access token expiration date (use
exptimestamp in decoded token) -
check groups claim is present in decoded token before trying to read it
Migrated from D2876 (view on Phabricator)