Allow OAuth and OIDC login engines to bind to fields in internal auth

This feature is subtle but very important: Currently, when a user logs in via an "external" auth system (such as Github), they are either logged into an existing bound account or a new account is created for them in the database. While this normally works jut fine, it hits a roadblock when the *internal* auth system configured is not the database, but instead something like LDAP. In that case, *most* Enterprise customers will prefer that logging in via external auth (like OIDC) will also *automatically* bind the newly created account to the backing *internal* auth account. For example, login via PingFederate OIDC (backed by LDAP) should also bind the new QE account to the associated LDAP account, via either username or email. This change allows for this binding field to be specified, and thereafter will perform the proper lookups and bindings.

oauth/base.py

@@ -64,6 +64,17 @@ class OAuthService(object):
   def client_secret(self):
     return self.config.get('CLIENT_SECRET')
 
+  def login_binding_field(self):
+    """ Returns the name of the field (`username` or `email`) used for auto binding an external
+        login service account to an *internal* login service account. For example, if the external
+        login service is GitHub and the internal login service is LDAP, a value of `email` here
+        will cause login-with-Github to conduct a search (via email) in LDAP for a user, an auto
+        bind the external and internal users together. May return None, in which case no binding
+        is performing, and login with this external account will simply create a new account in the
+        database.
+    """
+    return self.config.get('LOGIN_BINDING_FIELD', None)
+
   def get_auth_url(self, app_config, redirect_suffix, csrf_token, scopes):
     """ Retrieves the authorization URL for this login service. """
     redirect_uri = '%s/oauth2/%s/callback%s' % (get_app_url(app_config), self.service_id(),