feat: Add support to poll users on external SSO (#12592)

Additional support for vendor-specific admin API
integrations for OpenID, to ensure validity of
credentials on MinIO.

Every 5minutes check for validity of credentials
on MinIO with vendor specific IDP.

docs/sts/keycloak.md

@@ -6,12 +6,15 @@ Keycloak is an open source Identity and Access Management solution aimed at mode
 
 Configure and install keycloak server by following [Keycloak Installation Guide](https://www.keycloak.org/docs/latest/getting_started/index.html) (finish upto section 3.4)
 
-### Configure Keycloak UI
+### Configure Keycloak Realm
 - Go to Clients
   - Click on account
-  - Settings
-  - Enable `Implicit Flow`
-  - Save
+    - Settings
+    - Change `Access Type` to `confidential`.
+    - Save
+  - Click on credentials tab
+    - Copy the `Secret` to clipboard.
+    - This value is needed for `MINIO_IDENTITY_OPENID_CLIENT_SECRET` for MinIO.
 
 - Go to Users
   - Click on the user
@@ -36,6 +39,42 @@ Configure and install keycloak server by following [Keycloak Installation Guide]
 
 - Open http://localhost:8080/auth/realms/minio/.well-known/openid-configuration to verify OpenID discovery document, verify it has `authorization_endpoint` and `jwks_uri`
 
+### Enable Keycloak Admin REST API support
+Before being able to authenticate against the Admin REST API using a client_id and a client_secret you need to make sure the client is configured as it follows:
+
+- `account` client_id is a confidential client that belongs to the realm `{realm}`
+- `account` client_id is has **Service Accounts Enabled** option enabled.
+- `account` client_id has a custom "Audience" mapper, in the Mappers section.
+  - Included Client Audience: security-admin-console
+
+#### Adding 'admin' Role
+
+- Go to Roles
+  - Add new Role `admin` with Description `${role_admin}`.
+  - Add this Role into compositive role named `default-roles-{realm}` - `{realm}` should be replaced with whatever realm you created from `prerequisites` section. This role is automatically trusted in the 'Service Accounts' tab.
+
+- Check that `account` client_id has the role 'admin' assigned in the "Service Account Roles" tab.
+
+After that, you will be able to obtain an access token for the Admin REST API using client_id and client_secret:
+
+```
+curl \
+  -d "client_id=<YOUR_CLIENT_ID>" \
+  -d "client_secret=<YOUR_CLIENT_SECRET>" \
+  -d "grant_type=client_credentials" \
+  "http://localhost:8080/auth/realms/{realm}/protocol/openid-connect/token"
+```
+
+The result will be a JSON document. To invoke the API you need to extract the value of the access_token property. You can then invoke the API by including the value in the Authorization header of requests to the API.
+
+The following example shows how to get the details of the user with `{userid}` from `{realm}` realm:
+
+```
+curl \
+  -H "Authorization: Bearer eyJhbGciOiJSUz..." \
+  "http://localhost:8080/auth/admin/realms/{realm}/users/{userid}"
+```
+
 ### Configure MinIO
 ```
 $ export MINIO_ROOT_USER=minio