Proxy / Forward JWT Bearer in UAA to allow central trust anchor

[strehle]

Problem.

Trust anchor for CF deployments can be centralized, this means, that your password is not in CF but in an IDP (SAML or OIDC). With OIDC IDP you can do password forwarding, means cf login -u user -p password --oirigin idp is generating a password grant to UAA and UAA can forward this the next IDP to forward / check password on IDP level.

Moving away from passwords towards to token based authentication should allow same possiblity.
If you do cf auth --assertion --oirigin idp generates a JWT to UAA, but if the trust of the JWToken is not setup in UAA but in the trusted IDP then this breaks the flow.

Therefore we should support same option for JWT bearer, means, if --oirigin is setup then login_hint in JWT bearer should be check and if the JWT is not trusted ( simply we have no trusted IdP in UAA with this issuer ) then we forward this JWT to the origin IDP with a JWT bearer to this IDP very similar to what we do with password grant proxy.
The result of this JWT bearer should be processed very similar to password grant proxy.