Remote auth: Take user groups from a header

[jgraichen]

Remote authentication using the X-Remote-User header creates a user on demand but does not support assigning groups.

Describe the solution you'd like

Configuring a second header, e.g. X-Remote-Groups, with the list of groups a user should have, would ease mapping group memberships from remote auth, such as OIDC or SAML.

For example:

X-Remote-User: john
X-Remote-Groups: administrator, service-a-manager

Describe alternatives you've considered

The documentation recommends setting up LDAP group sync, but that would require LDAP infrastructure to be present and to contain the users and groups. In many modern environments, that might not be given anymore, e.g. users are managed on IdPs, such as Entrea ID, Octa, GitHub, Google, or Authentik. Some might offer LDAP endpoints, which would need extra configuration, but others do not.

Maintaining a standalone LDAP only for Icingaweb2 group mappings is tedious, or impossible, if users are not known upfront.

Additional context

The header could be specified in a configuration, and, if no header is configured, nothing would happen.

If the header must contain all groups for user, it would support addition and removal, or only stored in the session/not at all.