feat(backend): add oauth2 (#9333)

* feat(backend): add oauth2

* fix import

* Add inventree roles

* refactor to make lookup more efficient

* fix single scope definitions

* cleanup

* fix schema

* reduce auth methods

* fix OAuth validator

* re-enable token and basic auth again

* Add models to role mapping

* change scope args

* add debug step for schema generation

* add oauth config for schema generation

* improve token -> permission mapping

* fix req

* extend checks to ensure normal auth also passes

* fix api version

* fix ignore

* fix rule name

* bump api version

* remove old modelref

* move scope definition

* make test results easier to work with

* add tests to ensure scopes are in sync with rulesets

* fix docstring

* fix various permissions and their mapping to oauth

* refactor

* simplify

* fix permission mapping

* ignore failure cases

* fix unauthenticated access

* flag oAuth2 till it is done

* Add OIDC support

* add RSA key generation and docs

* fix test

* move imports

* update ignore

* feat(backend): Add API Schema stats

* add scope stats

* fix name

* fix scope output

* feat(backend): test custom command

* add warning for unknown scopes

* reduce diff in launch.json

* cleanup  diff

* add error code for ruleset / scope issues

* update structure

* add oauth docs

* add experimetnal feature docs

* simplify metadata endpoint

* add importer model

* refactor(backend): simplify metadata endpoint

* fix imports

* simplify even more

* remove unneeded schema tooling

* fix permission mappings

* fix testing

* fix role calculations

* fix mapping

* remove importer change to unblock this

* remove importer scope everywhere

* fix merge conflict in test

* add missing models

* fix api version

* fix OASToken matcher

* revert permission class change

* reduce size of test log by writing schema

* fix permissions

* fix file path

* extend schema to remove need for TokenMatchesOASRequirements

* cleanup permissions file

* add base object permission

docs/docs/api/api.md

@@ -33,7 +33,7 @@ invoke dev.schema -help
 Users must be authenticated to gain access to the InvenTree API. The API accepts either basic username:password authentication, or token authentication. Token authentication is recommended as it provides much faster API access.
 
 !!! warning "Permissions"
-    API access is restricted based on the permissions assigned to the user.
+    API access is restricted based on the permissions assigned to the user or scope of the application.
 
 ### Basic Auth
 
@@ -44,9 +44,9 @@ Users can authenticate against the API using basic authentication - specifically
 Each user is assigned an authentication token which can be used to access the API. This token is persistent for that user (unless invalidated by an administrator) and can be used across multiple sessions.
 
 !!! info "Token Administration"
-    User tokens can be created and/or invalidated via the Admin interface.
+    User tokens can be created and/or invalidated via the user settings, admin center or admin interface.
 
-### Requesting a Token
+#### Requesting a Token
 
 If a user does not know their access token, it can be requested via the API interface itself, using a basic authentication request.
 
@@ -66,7 +66,7 @@ HTTP_200_OK
 }
 ```
 
-### Using a Token
+#### Using a Token
 
 After reception of a valid authentication token, it can be subsequently used to perform token-based authentication.
 
@@ -95,6 +95,46 @@ headers = {
 response = request.get('http://localhost:8080/api/part/', data=data, headers=headers)
 ```
 
+### oAuth2 / OIDC
+
+!!! warning "Experimental"
+    This is an experimental feature that needs to be specifically enabled. See [Experimental features](../settings/experimental.md) for more information.
+
+InvenTree has built-in support for using [oAuth2](https://oauth.net/2/) and OpenID Connect (OIDC) for authentication to the API. This enables using the instance as a very limited identity provider.
+
+A default application using a public client with PKCE enabled ships with each instance. Intended to be used with the python api and configured with very wide scopes this can also be used for quick tests - the cliend_id is `zDFnsiRheJIOKNx6aCQ0quBxECg1QBHtVFDPloJ6`.
+
+#### Managing applications
+
+Superusers can register new applications and manage existing ones using a small application under the subpath `/o/applications/`.
+It is recommended to:
+- read the spec (RFC 6749 / 6750) and/or best practices (RFC 9700) before choosing client types
+- chose scopes as narrow as possible
+- configure redirection URIs as exact as possible
+
+#### Scopes
+
+InvenTree's oAuth scopes are strongly related to the [user roles](#user-roles).
+Names consist of 1. type, 2. kind and 3. (opt) role, separated by colons.
+
+
+There are 3 types:
+
+- a: administrative scopes - used for administrating the server - these can be staff or superuser scopes
+- g: general scopes - give wide access to the basic building blocks of InvenTree
+- r: role scopes - map to specific actions (2) and roles (3)
+
+Examples:
+```bash
+a:superuser
+g:read
+r:change:part
+r:delete:stock
+```
+
+!!! info "Read the API docs"
+    The API [documentation](#documentation) and [schema](./schema.md) list the required scopes for every API endpoint / interaction in the security sections.
+
 ## Authorization
 
 ### User Roles