Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password

data/users/__init__.py

@@ -10,7 +10,7 @@ from data.users.database import DatabaseUsers
 from data.users.externalldap import LDAPUsers
 from data.users.externaljwt import ExternalJWTAuthN
 from data.users.keystone import get_keystone_users
-from data.users.oidc import OIDCInternalAuth
+from data.users.apptoken import AppTokenInternalAuth
 from util.security.aes import AESCipher
 
 logger = logging.getLogger(__name__)
@@ -25,7 +25,7 @@ def get_federated_service_name(authentication_type):
   if authentication_type == 'Keystone':
     return 'keystone'
 
-  if authentication_type == 'OIDC':
+  if authentication_type == 'AppToken':
     return None
 
   if authentication_type == 'Database':
@@ -84,12 +84,14 @@ def get_users_handler(config, _, override_config_dir):
                               keystone_admin_password, keystone_admin_tenant, timeout,
                               requires_email=features.MAILING)
 
-  if authentication_type == 'OIDC':
+  if authentication_type == 'AppToken':
     if features.DIRECT_LOGIN:
-      raise Exception('Direct login feature must be disabled to use OIDC internal auth')
+      raise Exception('Direct login feature must be disabled to use AppToken internal auth')
 
-    login_service = config.get('INTERNAL_OIDC_SERVICE_ID')
-    return OIDCInternalAuth(config, login_service, requires_email=features.MAILING)
+    if not features.APP_SPECIFIC_TOKENS:
+      raise Exception('AppToken internal auth requires app specific token support to be enabled')
+
+    return AppTokenInternalAuth()
 
   raise RuntimeError('Unknown authentication type: %s' % authentication_type)