OIDC security hardening

[davmlaw]

Addresses SACGF/variantgrid_private#3823.

Changes

oidc_auth/backend.py

• Implement provider_logout function so OIDC_OP_LOGOUT_URL_METHOD correctly terminates Keycloak sessions on logout
• Validate and sanitize OIDC claim values (email, username, given_name, family_name) before writing to user fields — validates email format, strips control characters, enforces field max lengths
• Replace claims["groups"] direct key access with .get("groups", []) plus an isinstance type check to handle absent or malformed claims gracefully
• Validate group name components against a safe-character pattern before creating or assigning groups from provider claims
• Fix maintenance-mode boolean expression to use explicit parentheses with explanatory comment

oidc_auth/oidc_error_handler.py

• Log exceptions via logger.exception() before redirecting, so OIDC errors produce an audit trail

oidc_auth/session_refresh.py

• Add comment explaining why API and AJAX requests are excluded from browser-based session refresh

variantgrid/settings/env/shariantcommon.py

• Enable PKCE (OIDC_USE_PKCE, OIDC_PKCE_CODE_CHALLENGE_METHOD = 'S256')
• Fix OIDC_OP_LOGOUT_URL_METHOD module path (auth.backend → oidc_auth.backend)
• Replace ALLOWED_HOSTS = ['*'] with explicit Shariant hostnames

Test plan

• Log in via Keycloak on test/demo — confirm normal login still works
• Log out — confirm Keycloak session is terminated (re-visiting the app prompts for credentials rather than auto-logging in)
• Confirm a user without the required group receives the "not authorised" error message
• Confirm a user with an invalid groups claim ("groups": "not-a-list") is rejected cleanly
• Confirm ALLOWED_HOSTS correctly rejects requests with an unrecognised Host: header