Authenticate against external identity provider, and send grant to Trino

[RoseGoldIsntGay]

Description

The new KeycloakAuthentication auth flow allows usage of an external OIDC identity provider to authenticate against a Trino cluster secured using OAuth2.

Non-technical explanation

This authentication type uses credentials for an OpenId Connect provider, such as Keycloak, retrieves a grant token and uses it to authenticate against Trino.

Release notes

( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text:

Keycloak Authentication

The KeycloakAuthentication class can be used to connect to a Trino cluster that is configured with the OAuth2 authentication type using an external OIDC identity provider (i.e Keycloak)

It works by sending credentials to the OpenId identity provider and recieving a grant, then passing said grant to the Trino cluster secured using OAuth2

Warning

Client Authentication must be turned off (public access) as the flow does not send a client secret

• DBAPI

  from trino.dbapi import connect
  from trino.auth import KeycloakAuthentication
  
  conn = connect(
      user="<username>",
      auth=KeycloakAuthentication(
          username="<username>",
          password="<password>",
          keycloak_url="<keycloak_url>",
          realm="<realm>",
          client_id="<client_id>",
      ),
      ...
  )

[cla-bot]

Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla