[OIDC] Enhance OIDC Integration: Secure client secret handling and fix access token storage

[SoniaComp]

What changes were proposed in this pull request?

• Improved security by allowing oidc_rp_client_secret to be provided via script input, reducing the risk associated with hardcoded or environment-variable-based secrets.
• Bug fix for proper storage of access tokens: Addressed an issue where access tokens were not being stored correctly, ensuring tokens are saved as expected.

How was this patch tested?

This patch was tested by building the Hue Docker image internally and deploying it via Helm chart. We verified the integration with Keycloak OIDC during testing.

Please review Hue Contributing Guide before opening a pull request.

[github-actions]

⚠️ No test files modified. Please ensure that changes are properly tested. ⚠️

[github-actions]

UI Coverage Report

Lines	Statements	Branches	Functions
	39.15% (30527/77959)	31.01% (14247/45936)	23.89% (2130/8915)

[github-actions]

Python Coverage Report •

File	Stmts	Miss	Cover	Missing
desktop/core/src/desktop/auth
backend.py	597	349	41%	62–63, 67, 77, 99–101, 175, 184, 201–202, 216–218, 245–246, 255–256, 260–261, 271–274, 276, 279–284, 291, 305, 316, 339, 357, 362, 388–389, 393–395, 397, 399, 403, 415–419, 421, 423, 427, 438, 440–442, 444–447, 449–451, 453–460, 462, 464, 466–467, 469, 473, 483–485, 487, 489–490, 492–496, 498–500, 502, 505–508, 510, 512–513, 515, 517–521, 523–525, 527–530, 532–533, 537, 540, 542–546, 549, 552–553, 556–558, 560, 562–563, 565, 568, 570–571, 573, 577, 579, 582–583, 586–587, 591–597, 599–602, 604–608, 610–616, 618–623, 625, 627–628, 630, 633–635, 639–640, 642–648, 650–652, 654–658, 662, 664, 667, 669–670, 674, 700, 720, 724–726, 736–740, 742–744, 746–753, 755, 757, 759–760, 762, 766–767, 770–772, 780–784, 786–788, 790–797, 799, 801, 803–804, 807–809, 814, 816–817, 819–821, 823–824, 826, 828, 839–840, 843–846, 849, 851–854, 856, 858, 860, 863–866, 869, 871–872, 878–881, 883–887, 889, 897–898, 901–902, 904–905, 908–910, 913–916, 926–929, 933–934, 936–938, 940–945, 950, 954–961, 963, 965–966, 974–986
TOTAL	54185	27078	50%

Pytest Report

Tests	Skipped	Failures	Errors	Time
1186	106 💤	0 ❌	0 🔥	5m 57s ⏱️

[Copilot]

Pull Request Overview

This PR enhances OIDC integration by introducing support for dynamically acquiring the OIDC RP client secret via a script and fixes access token storage issues.

• Introduces a new configuration option (OIDC_RP_CLIENT_SECRET_SCRIPT) for secret retrieval.
• Adjusts the authentication and logout methods to use the new secret source as a fallback.
• Updates configuration templates to document the new option.

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
desktop/core/src/desktop/settings.py	Added retrieval for a new client secret script configuration.
desktop/core/src/desktop/conf.py	Updated default client secret value and added a new secret script config.
desktop/core/src/desktop/auth/backend.py	Modified authentication flow to use the new secret and added token-saving behavior; possible indentation issue.
desktop/conf/pseudo-distributed.ini.tmpl	Updated config comments to include the new secret script option (naming inconsistency noted).
desktop/conf.dist/hue.ini	Updated config comments to include the new secret script option (naming inconsistency noted).

Comments suppressed due to low confidence (3)

desktop/core/src/desktop/auth/backend.py:875

• The function 'save_refresh_tokens' appears to be indented within 'save_access_tokens', causing it to be defined as a nested function instead of a class method. Consider moving it to the same indentation level as 'save_access_tokens'.

def save_refresh_tokens(self, refresh_token):

desktop/conf/pseudo-distributed.ini.tmpl:834

• The configuration key in the template ('oidc_rp_client_script') does not match the key used in the code ('oidc_rp_client_secret_script'). Update the template for consistency.

## oidc_rp_client_script=

desktop/conf.dist/hue.ini:832

• The configuration key in the template ('oidc_rp_client_script') does not match the key used in the code ('oidc_rp_client_secret_script'). Update the template for consistency.

## oidc_rp_client_script=

[Harshg999]

Thanks @SoniaComp for contributing a fix!
I've left one small review comment.

[Harshg999]

LGTM!

[Harshg999]

@SoniaComp Looks like there are some unit test failures, can you please check? Also is this change required?