OAuth2 Client credentials flow for M2M requests

[byewokko]

OAuth defines client credentials flow as a means of obtaining access token on behalf of the client application, without end-user authentication. This token is used for M2M requests, like an API key.

Describe the solution you'd like

• The token endpoint initiates the client credentials flow if the grant_type request parameter value is client_credentials.
• The code parameter must not be expected in this case.
• The client must be authenticated according to their configured token_endpoint_auth_method.
• If successful, the server must issue a new access token and ID token (without refresh token!) and return them in the response.

See RFC6749#4.4 for details.

[byewokko]

Set up confidential client (with client secret)

• create client
• set secret using API https://github.com/TeskaLabs/seacat-auth/blob/main/seacatauth/client/handler.py#L32
• set token_endpoint_auth_method to client_secret_basic using update API https://github.com/TeskaLabs/seacat-auth/blob/main/seacatauth/client/handler.py#L33

Implement client link to m2m credentials

• New m2m_credentials_id attribute in client.
• This allows for assigning tenants and roles to the client.

Implement client credentials flow

• Must comply with https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
• Make sure that the common auth code flow (with authorized user) is also handled somehow - at least NotImplementedError.
• Create root SSO session with m2m_credentials_id, then immediately create client session with client_id.

Bonus

• Implement WebUI for resetting client secret and setting token_endpoint_auth_method and m2m_credentials_id.