Fix OIDC cookie related tenant id and chunk calculation issues

[sberyozkin]

Fixes #39849.
Fixes #39417.
Fixes #38535.

This PR fixes several issues related to the OIDC tenant resolution and the session management, all discovered while looking at the test failure as a result of the initial work with #39417.
As it happens, the initial #39417 fix exposed these problems, how the OIDC quickstart tenancy test was passing when the tenants are switched with the same session cookie path before is still a mystery to me.

So, this PR does the following:

• Makes sure that if the tenant id has been changed after it was set by the session cookie, then, before the reauthentication, it removes now obsolete session cookie(s) belonging to the old tenant
• Avoids calling OidcAuthenticationMechanism#resolve 3 times
• Decreases the max session cookie value to 4056 bytes, otherwise the browsers will drop the session cookie chunks if the automatic session cookie splitting is enabled (it is by default)
• Fixed the multi-tenant docs describing the correct sequence of the resolution
• Replacing a totally inadequate section on how to manage web-app tenants with hopefully a more useful advice
• Improved the existing tests, added new ones

This is a technical PR which tries to cover the grey areas related to the session cookie splitting, and provide the better advice on how to manage tenants

[sberyozkin]

Thanks @gastaldi, I added some doc text between 1., 2., 3. bullets so the doc build failed, replaced with === Step 1: ... for 3 steps.

@michalvavrik Please confirm when you get a chance that we are in agreement re the doc-ed order of tenant resolution :-)

A minor follow up optimization is also possible (OidcAuthenticationMechanism records a resolved OidcTenantConfig in the context, but so is DefaultTenantConfigResolver but using different keys for statically and dynamically resolved configs and I thought I'd rather consider looking into it separately to avoid overextending this PR)

[michalvavrik]

LGTM

[sberyozkin]

Thanks @michalvavrik

@pedroigor Hi Pedro, have a look if you get a chance, I'll keep it for another day, see the PR description, it is mainly about bug fixes related to the cookie max size (and the subsequent splits), making sure the old tenant's cookies are cleaned up if for some reasons and improving the multi-tenancy docs.

[sberyozkin]

I've picked up the direct session cookie encryption update just to make sure it does not impact anything here (it must not)

[quarkus-bot]

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit 61529c2.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

⚠️ There are other workflow runs running, you probably need to wait for their status before merging.

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 61529c2.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

[sberyozkin]

I suppose I'll go ahead, I'm seeing some strange Keycloak 24.0.2 test errors, and this PR fixes a few session and tenant resolution issues, so may be it can help.

[github-actions]

🙈 The PR is closed and the preview is expired.