WIP: Add authentication class for DRF

[iyawnis]

This is currently work in progress. I am looking to introduce two new classes, to be used as authentication classes for DRF. The aim of this is to allow a backend service which communicates with a frontend, to verify that the OIDC tokens it receives from the frontend are valid for this service.

As the service I have been using this code with has no concept of user, I am not sure what is the best way of incorporating this concept. Currently, if a request is authenticated, the token payload (whether ID token or the introspection result for access token) is added on request.user.token.

I am looking on feedback on whether this is moving to a reasonable direction. Also please keep in mind I am very short on time, thus this is currently moving very slowly.

[juanifioren]

Documentation needed

[juanifioren]

typo "interspect"

[juanifioren]

why making an http request in introspect_token method? maybe using existing utils to validate it, or hit directly DB. 🤔

[iyawnis]

The aim of this code is to allow someone who is building a DRF API, to validate OIDC tokens that the frontend is passing to it. As such, it would not have any DB that can verify a token is valid, it would need to communicate with the OIDC server the frontend receives its tokens from.
This is why I open the PR before its ready, to find out if this functionality is something within the scope of this package.

Flow goes like this:

Frontend authenticates with OIDC, receives an ID / access token.
Frontend makes API calls to backend (DRF API) and passes token received from OIDC
Backend verifies the OIDC token is valid for this service, and proceeds with serving the request.