[SSO] Add initial SSO integration

[mandarl]

• Entry point is a link on the login page. We can style it as button later.

  

• This redirects to the dev mode keycloak container. The browser url is http://keycloak:8080 so devs need to add local DNS entry that redirects keycloak to 127.0.0.1. I couldn't figure out a way to avoid this. The keycloak container uses the openldap container as it's datasource.

  

• On successful login we are redirected back to calendar. I have added a couple of useful links in the account menu.

  

[mandarl]

This is to ensure that xdebug can connect inside docker instance.

[zphelj]

Makes sense to me.

[mandarl]

This should probably be a singleton. But that will mean we will have to be careful about switching access tokens for users. This will work for now.

[zphelj]

Can you provide a scenario where this would break in our current environment using our current procedures? How would we change those to 'be more careful'?

[mandarl]

It doesn't break anything but has different trade-offs:

Per session instance (as implemented in this PR):
This implementation means that there is a separate instance of OpenIDConnectService for every logged in user. Each of these instances will call the .well-known url (https://login.dallasmakerspace.org/auth/realms/DMS/.well-known/openid-configuration) on keycloak to get config.

Singleton approach:
If we switch to singleton then there will be one instance for the whole application. We would avoid the call to get config for each user. However, we would need to maintain a map of access tokens for each user. Whenever we fetch groups for a user we have to set that user's access token on the oidc client.

Conclusion:
Singleton is too much of a hassle to implement without much benefit.

[zphelj]

Looks OK to me though my SSO experience is limited and my PHP is rusty!