Convert errors from django_openid_auth to django-oauth-toolkit with login.ubuntu.com OIDC SSO

[Copilot]

django_openid_auth is deprecated. Replace it with django-oauth-toolkit (DOT) and custom OIDC client views that authenticate users via login.ubuntu.com using OpenID Connect instead of OpenID 2.0.

Changes

• New oidc.py: OIDC client views (oidc_login, oidc_callback) implementing the authorization code flow with login.ubuntu.com — redirects users to login.ubuntu.com for authentication, exchanges authorization codes for tokens, fetches userinfo, creates/updates Django users, and maps Launchpad teams to Django groups
• settings.py: OpenIDBackend → OAuth2Backend, oauth2_provider in INSTALLED_APPS, all OPENID_* settings replaced with OIDC client configuration (OIDC_AUTHORIZE_URL, OIDC_TOKEN_URL, OIDC_USERINFO_URL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET, OIDC_CALLBACK_URL), preserved Launchpad teams mapping as OIDC_LAUNCHPAD_TEAMS_MAPPING, LOGIN_URL → /oidc/login/
• urls.py: Added /oidc/login/ and /oidc/callback/ routes for the OIDC client flow, DOT provider URLs mounted at /o/
• config.py: openid_trust_root → OIDC client settings (oidc_authorize_url, oidc_token_url, oidc_userinfo_url, oidc_client_id, oidc_client_secret) with defaults pointing to login.ubuntu.com
• index.html: Preserved login.ubuntu.com profile link (unchanged from original)
• pyproject.toml: Added django-oauth-toolkit>=3.0.0 to dev deps

Unchanged

• auth.py group-based authorization (@can_see_stacktraces) — uses Django groups, backend-agnostic
• logout_view / login_failed views
• context_processors.py — builds login URL from settings.LOGIN_URL

Deployment note

Operators must set oidc_client_id and oidc_client_secret in local_config.py with valid OAuth2 client credentials registered with login.ubuntu.com. The OIDC endpoint URLs default to login.ubuntu.com/+openid-connect/* and can be overridden if needed.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Convert errors to using django-oauth-toolkit</issue_title>
<issue_description>The errors Django app is currently relying on the django_openid_auth plugin, but this plugin is deprecated. We should transition to django-oauth-toolkit, which is more modern and maintained, and provides OpenID Connect just fine: https://django-oauth-toolkit.readthedocs.io/en/stable/oidc.html</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Convert errors to using django-oauth-toolkit #13

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Hyask]

@copilot the new workflow should still rely on the SSO provided by login.ubuntu.com, as before.

[Copilot]

@copilot the new workflow should still rely on the SSO provided by login.ubuntu.com, as before.

Reworked in f851b5f. The authentication flow now uses login.ubuntu.com as the OIDC provider:

1. /oidc/login/ redirects to login.ubuntu.com's OIDC authorize endpoint
2. /oidc/callback/ handles the callback — exchanges the authorization code for tokens, fetches userinfo, creates/updates the Django user, and maps Launchpad teams to Django groups (preserved as OIDC_LAUNCHPAD_TEAMS_MAPPING)
3. The login.ubuntu.com profile link in the template is restored

OIDC endpoint URLs default to login.ubuntu.com/+openid-connect/* in config.py. Operators need to set oidc_client_id and oidc_client_secret in local_config.py.