[17.0][IMP] auth_oidc: add groups' handling

[OdyX]

This allows groups' handling via a token's attributes as passed by a Keycloak instance serving as IdP.

• This is the 17.0-version of [IMP][12.0] auth_oidc: allow assign groups from token claims #350, then 14.0 auth OIDC groups: allow assign groups from token claims #372 , by @26houseRobot and @hbrunn , with just minor fixes

@sbidoul : I'd be happy to make any necessary changes!

[OCA-git-bot]

Hi @sbidoul,
some modules you are maintaining are being modified, check this out!

[hbrunn]

the v14 PR is based on my v12 PR which was merged - why didn't you just forward port this?

[OdyX]

@hbrunn thanks for asking! As I'm quite fresh in the Odoo ecosystem, I did not see the v12 PR. Care to share a link?

As you can see from the code, my patch works a bit differently; as it appeared that what I needed for group mapping was directly in the access token, there's no usage of the data_endpoint. But I'm also likely not fluent enough in OAuth2 to know if that is really a correct way too.

Well; in any case, I'm happy to work towards merging either this or your v12 PR (or a mix of both) for v17. We need @sbidoul 's input, right?

[hbrunn]

you find the v12 PR here

[OdyX]

@hbrunn Great. Thanks for the pointer to the v12 PR. I've now understood the code much better, and did a mostly-straightforward port, with just two minor additions as separate commits. Could you perhaps review?

[OdyX]

As the codecov warnings seem critical, I've now added some more tests around the safe_eval call of the expressions.

Edit: and now also added some groups' assignment/deassignment checks, pushing the codecov bar above the needed limits.