LEARNER-8790 Support Apple team Migration

[moeez96]

Description

Apple account that belongs to edx is to be transferred from edx Inc. to edx LLC. The unique apple_id for users (stored in social_django.models.UserSocialAuth.uid) is team-scoped i.e. unique to the owner team at Apple. As a result, We need to follow steps to migrate Apple ID's for users who sign in with Apple on edx.
This PR aims to support the Apple team migration process meanwhile allowing users to sign-in seamlessly throughout the process.

Steps:

1. Management command generate_and_store_apple_transfer_ids is run to generate transfer_identifiers for apple users. We store these transfer identifiers in the Table AppleMigrationUserIdInfo along with the current apple uid. After migration, we will use temporarily use these transfer_identifiers to match with the apple uid and allow existing users to sign in. Once step 4 is executed, use of these transfer_identifiers will end and the system will return back to normal.
2. Teams are migrated on Apple.
3. Management command generate_and_store_apple_transfer_ids is run that fetches apple uid's for the new team and stores them in the AppleMigrationUserIdInfo table.
4. Management command update_new_apple_ids_in_social_auth is run that replaces the old team-scoped apple ids' in UserSocialAuth table with the new team-scoped apple Ids.

Supporting information

1. Generating transfer identifiers BEFORE migration
2. Exchanging transfer identifiers AFTER migration
3. Info on Apple response after successful authentication of a user
4. Pre-migration ticket
5. Post migration ticket

Deadline

8th March 2023. Reason: Blocking iOS in-app purchases release.

Other information

• Once the teams have been migrated on Apple, the transfer_identifier will continue to be sent in the Apple response body (while logging in) for 60 days. We will only use this transfer identifier AFTER the migration and BEFORE fetching and populating new apple_ids in the database.
• Right after teams have been migrated, we will be updating the OAuth2ProviderConfig for provider apple-id with new Client ID and Client Secret.
• Once this exercise has been completed, all of the code added in this commit can be reverted/removed from the platform.

[robrap]

UPDATED:
We (2U/edX) need to play by everyone else's rules and not add 2U-specific needs into the codebase. Note that the Palm release is going to be cut in April, so this code will live in at least one named release if merged.

• You would need to create a new Django app plugin and deploy it using 2U's private dependencies into edx-platform.
• You can add the new plugin app into https://github.com/edx/edx-arch-experiments/ using https://github.com/openedx/edx-cookiecutters.
• I'm not sure if edx-arch-experiments is still privately deployed, or if that needs to be revived.
• See Reduce friction for adding temporary code to edx-platform edx/edx-arch-experiments#206 for more help.

Please lean on Arch-BOM to help in any way we can to reduce friction on this request. Thank you!

[moeez96]

@robrap Thanks for your comments! This change may come off as 2u-specific at first glance. But since edx-platform supports Sign in with Apple, the feature implemented here adds value to the platform over-all. i.e. In the event of switching apple teams, the platform will support migrating apple users from one team to another.
This is a possible event for any organization using the platform, and this can help other devs deal with the event with very little to no customization.

Secondly, I have overriden the function def get_user_id in common/djangoapps/third_party_auth/appleid.py to allow users to seamlessly login before, during, and after the apple team switch event. Please correct me, I do not see a clean way of doing the same implementation via an independent app using cookie_cutter.

This is also a dependency/blocker in a major in-app Purchases release Mobile team is ready for.

Please let me know your thoughts given the info above. Thank you!

[robrap]

@moeez96: Thanks. That sounds reasonable. If you want this to be a feature, maybe move some of the PR description documentation to a how-to (following OEP-19 for location in a local docs/how_to directory (might be how_tos).

[moeez96]

@robrap Done, Please review.

[dianakhuang]

I think the code looks good, but I think we should remove/replace references to edx in the documentation.

[dianakhuang]

I would not refer to edx specifically, especially if we want this to be general Open edX documentation. Maybe say LMS or edx-platform instead.

[moeez96]

Thanks @dianakhuang. I replaced occurrences of edx with LMS.

[edx-pipeline-bot]

EdX Release Notice: This PR has been deployed to the staging environment in preparation for a release to production.

[edx-pipeline-bot]

EdX Release Notice: This PR has been deployed to the production environment.

[edx-pipeline-bot]

EdX Release Notice: This PR has been deployed to the production environment.