feat: Add generic JWT auth

[wrmedford]

Closes #14250

This allows for generic JWTs to be used for authentication that are minted outside of Argo. Argo currently mints its own JWTs for auth outside of Dex, and this extends its capabilities to utilize JWTs that originate from Identity Aware Proxies.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

• 🔵 /bns:start to start the environment
• 🚀 /bns:deploy to redeploy the environment
• ❌ /bns:delete to remove the environment

[codecov]

Codecov Report

Attention: Patch coverage is 40.49587% with 72 lines in your changes missing coverage. Please review.

Project coverage is 55.24%. Comparing base (f15e1bc) to head (5cd320f).
Report is 4 commits behind head on master.

Files with missing lines	Patch %	Lines
util/oidc/provider.go	48.93%	32 Missing and 16 partials ⚠️
util/session/sessionmanager.go	5.88%	13 Missing and 3 partials ⚠️
util/settings/settings.go	20.00%	7 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##           master   #20928    +/-   ##
========================================
  Coverage   55.23%   55.24%            
========================================
  Files         337      337            
  Lines       57055    57167   +112     
========================================
+ Hits        31515    31581    +66     
- Misses      22847    22882    +35     
- Partials     2693     2704    +11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ChristianCiach]

That's cool, but shouldn't we at least verify a configurable aud claim? Otherwise an attacker could use any leaked JWT that happens to be signed by the right Identity Provider, even if it was intended to be used with a different Client. See https://stackoverflow.com/a/41237822/1507544

[wrmedford]

That's cool, but shouldn't we at least verify a configurable aud claim? Otherwise an attacker could use any leaked JWT that happens to be signed by the right Identity Provider, even if it was intended to be used with a different Client. See https://stackoverflow.com/a/41237822/1507544

Good call, and completely agree. Will add that as a config option.

[wrmedford]

That's cool, but shouldn't we at least verify a configurable aud claim? Otherwise an attacker could use any leaked JWT that happens to be signed by the right Identity Provider, even if it was intended to be used with a different Client. See https://stackoverflow.com/a/41237822/1507544

Added!