Auth: Add feature flag to move token rotation to client (#65060)

* FeatureToggle: Add toggle to use a new way of rotating tokens

* API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd

* Auth: Aling not authorized handling between auth middleware and access
control middleware

* API: add utility function to get redirect for login

* API: Handle token rotation redirect for login page

* Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request

* ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated

* AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated

* Cookies: Add option NotHttpOnly

* AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated

* AuthN: Add function to delete session cookie and set expiry cookie

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

pkg/services/authn/authnimpl/service.go

@@ -2,6 +2,7 @@ package authnimpl
 
 import (
 	"context"
+	"errors"
 	"net/http"
 	"strconv"
 
@@ -81,7 +82,7 @@ func ProvideService(
 	s.RegisterClient(clients.ProvideAPIKey(apikeyService, userService))
 
 	if cfg.LoginCookieName != "" {
-		s.RegisterClient(clients.ProvideSession(sessionService, userService, cfg))
+		s.RegisterClient(clients.ProvideSession(cfg, sessionService, features))
 	}
 
 	if s.cfg.AnonymousEnabled {
@@ -187,6 +188,12 @@ func (s *Service) Authenticate(ctx context.Context, r *authn.Request) (*authn.Id
 		if item.v.Test(ctx, r) {
 			identity, err := s.authenticate(ctx, item.v, r)
 			if err != nil {
+				// Note: special case for token rotation
+				// We don't want to fallthrough in this case
+				if errors.Is(err, authn.ErrTokenNeedsRotation) {
+					return nil, err
+				}
+
 				authErr = multierror.Append(authErr, err)
 				// try next
 				continue