feat: add external authorization service (authzd) with JWT authentication

- Add new authzd gRPC service implementing Envoy's external authorization API
- Integrate JWT authentication filter in Envoy configuration with claim extraction
- Update middleware to support both cookie-based and header-based user authentication
- Add comprehensive test coverage for authorization service and server
- Configure proper service orchestration with authzd, sparkled, and Envoy
- Update build system and Docker configuration for multi-service deployment
- Add grpcurl tool for gRPC service debugging and testing

This enables fine-grained authorization control through Envoy's ext_authz filter
while maintaining backward compatibility with existing cookie-based authentication.

1 files changed, 30 insertions, 0 deletions

diff --git a/pkg/web/oidc_server_test.go b/pkg/web/oidc_server_test.go
new file mode 100644
index 0000000..74d74d9
--- /dev/null
+++ b/pkg/web/oidc_server_test.go
@@ -0,0 +1,30 @@
+package web
+
+import (
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/oauth2-proxy/mockoidc"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOIDCServer(t *testing.T) {
+	srv := NewOIDCServer(t)
+	defer srv.Close()
+
+	t.Run("provides a working discover endpoints", func(t *testing.T) {
+		response, err := http.Get(srv.DiscoveryEndpoint())
+
+		require.NoError(t, err)
+		require.Equal(t, http.StatusOK, response.StatusCode)
+	})
+
+	t.Run("maps the gitlab oauth routes to the mockoidc ones", func(t *testing.T) {
+		url := srv.Addr() + strings.Replace(mockoidc.DiscoveryEndpoint, mockoidc.IssuerBase, mockoidc.IssuerBase+"/oauth", 1)
+		response, err := http.Get(url)
+
+		require.NoError(t, err)
+		require.Equal(t, http.StatusOK, response.StatusCode)
+	})
+}