Have external login always make an API request to get the authorization URL

This makes the OIDC lookup lazy, ensuring that the rest of the registry and app continues working even if one OIDC provider goes down.

oauth/base.py

@@ -1,4 +1,7 @@
 import logging
+import urllib
+
+from util import get_app_url
 
 logger = logging.getLogger(__name__)
 
@@ -10,7 +13,6 @@ class OAuthGetUserInfoException(Exception):
   """ Exception raised if a call to get user information fails. """
   pass
 
-
 class OAuthService(object):
   """ A base class for defining an external service, exposed via OAuth. """
   def __init__(self, config, key_name):
@@ -38,6 +40,10 @@ class OAuthService(object):
     """ Performs validation of the client ID and secret, raising an exception on failure. """
     raise NotImplementedError
 
+  def authorize_endpoint(self):
+    """ Endpoint for authorization. """
+    raise NotImplementedError
+
   def requires_form_encoding(self):
     """ Returns True if form encoding is necessary for the exchange_code_for_token call. """
     return False
@@ -48,6 +54,20 @@ class OAuthService(object):
   def client_secret(self):
     return self.config.get('CLIENT_SECRET')
 
+  def get_auth_url(self, app_config, redirect_suffix, csrf_token, scopes):
+    """ Retrieves the authorization URL for this login service. """
+    redirect_uri = '%s/oauth2/%s/callback%s' % (get_app_url(app_config), self.service_id(),
+                                                redirect_suffix)
+    params = {
+      'client_id': self.client_id(),
+      'redirect_uri': redirect_uri,
+      'scope': ' '.join(scopes),
+      'state': csrf_token,
+    }
+
+    authorize_url = '%s%s' % (self.authorize_endpoint(), urllib.urlencode(params))
+    return authorize_url
+
   def get_redirect_uri(self, app_config, redirect_suffix=''):
     return '%s://%s/oauth2/%s/callback%s' % (app_config['PREFERRED_URL_SCHEME'],
                                              app_config['SERVER_HOSTNAME'],