Step-up auth: Fix provider-specific session validation for multiple OAuth providers

What does this MR do and why?

Fixes step-up authentication to correctly validate sessions against the specific OAuth provider required by a namespace, rather than accepting any provider's successful authentication. This ensures proper access control when multiple OAuth providers are configured.

Previously, the system would accept step-up authentication from any configured provider, regardless of which provider the namespace actually required. This could allow unintended access if a user had authenticated with a different provider than the one specified in the namespace settings.

The fix ensures that when a namespace requires a specific OAuth provider for step-up authentication (e.g., "openid_connect"), the system will only accept step-up auth sessions from that specific provider, rejecting authentication from other providers even if they support step-up auth.

Test coverage includes scenarios for:

• Multiple OAuth providers with different step-up configurations
• Validation that only the correct provider grants access
• Rejection of authentication from non-matching providers
• Proper handling of providers without step-up auth capability

This strengthens the security boundary for protected namespaces by ensuring authentication requirements are strictly enforced per the configured provider.

🛠️ with ❤️ at Siemens

References

Related to issue #556943 - Step-up authentication for group protection

Screenshots or screen recordings

Not applicable - Backend security fix with no UI changes

How to set up and validate locally

1. Configure multiple OAuth providers in your GitLab instance with at least two supporting step-up authentication
2. Create a group and configure it to require step-up authentication with a specific provider (e.g., "openid_connect")
3. Authenticate with a different provider that also supports step-up auth (e.g., "saml")
4. Attempt to access the protected group
5. Verify that access is denied and you're redirected to authenticate with the correct provider
6. Authenticate with the correct provider specified in the namespace settings
7. Verify that access is now granted

To run the tests:

• Execute: bundle exec rspec spec/support/shared_examples/enforce_step_up_auth_shared_examples.rb
• Execute: bundle exec rspec spec/requests/groups_controller_spec.rb

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

MR Checklist (@gerardo-navarro)

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the style guides
• Conforms to the javascript style guides
• Conforms to the database guides
• Conforms to the merge request performance guidelines
• Security: Fixes a potential authorization bypass when multiple OAuth providers are configured
• Performance: No performance impact - only changes session validation logic