Use composite identity oauth token for authenticating Gitlab apis

Description

Right now we use user oauth token to authenticate with Gitlab apis. We can use composite identity oauth token instead

Open questions/Planning needed

• There is also a discussion of using an id_token instead of oauth token that is preferred. Evaluate the feasibility
• What happens if the token expires in the middle of workflow execution?

Implementation Plan

• Create a doorkeeper OAuth app that uses dynamic scopes.

  oauth_application = Doorkeeper::Application.new(
              name: 'GitLab Duo Workflow',
              redirect_uri: redirect_uri,
              scopes: ::Gitlab::Auth::AI_WORKFLOW_SCOPES + [::Gitlab::Auth::DYNAMIC_USER],
              trusted: true,
              confidential: false
            )

• Manually generate an Oauth access token for the service account with OAuth app. Ensure that the token's dynamic scope contains the id of the human user who generated the Workflow.

  dynamic_user_scope = ["user:#{user.id}"] # user who started the workflow
  oauth_token = OauthAccessToken.create!(
    application_id: oauth_application.id,
    expires_in: 1.hour, 
    resource_owner_id: service_account_user.id,
    organization: organization,
    scopes: ::Gitlab::Auth::AI_WORKFLOW_SCOPES + dynamic_user_scope
  )

• Modify POST /workflows api to use above composite identity oauth token. This token is used through the lifecycle of workflow to authenticate the Gitlab APIs.

• Modify workflows_internal.rb endpoints and graphql endpoints to authenticate using composite identity oauth token.

• Verify all the endpoints that WF tools require can be authenticated with composite identity.