* add "view" permission for secret links that grants permissions to both
  "read" as well as "read_files"

* if local login is disabled and there is only one OAuth2 remote app
  defined, we redirect straight to that remote app's login page

* note that this does not prevent motivated users from updating their
  user profiles via POST requests; however, there doesn't seem to be a
  proper way of disabling updates to user profiles...

* note: the registration form is only used if the user info (e.g.
  preferred_username) provided by Keycloak fails validation (e.g.
  because the username contains illegal characters)
* the custom logic tries to come up with a unqiue and valid username, if
  the supplied preferred_username doesn't cut it

* when the owner is still set as an integer, but it is accessed like a
  dictionary, a TypeError is thrown instead of a KeyError

* since the january release, the owned_by array doens't only contain
  pure integer IDs, but dictionaries with "user" properties

* previously, used a RecordFilesServiceConfig instead of a
  DraftFilesServiceConfig as superclass of our custom
  DraftFilesServiceConfig, and thus we the wrong record model class
  (records instead of drafts)

* adjust for the new way of using the configured RecordServices
  from RDM-Records
* ignore flake8 E731: nagging about lambda vs def

* since the keycloak contribution was added to the latest version of
  Invenio-OAuthClient, the fallback isn't required here anymore -- to
  increase maintainability, drop the duplicate code here

* prior to the invenio-rdm-records refactor, the RecordService configs
  were set globally by name in the configuration
  (e.g. RDM_RECORDS_BIBLIOGRAPHIC_SERVICE_CONFIG = MyConfigClass)
* now, this is limited to the Services registered in the
  InvenioRDMRecords Flask extension and does no longer affect
  all newly instantiated Bibliographic*Services

* some parts from invenio-rdm-records were refactored and moved into
  invenio-app-rdm

* Fix some bugs
* Check permissions before previewing files
* Refactor a little bit

* previously, the invenio-oauthclient.contrib.keycloak handlers were
  still referenced, which may not be available

* change it to another testing/sandbox realm that allows redirect URIs
  to be set to https://localhost*

* assign a name to the entrypoint that appears very late in a
  lexicographic ordering, to override values from other config modules

* Refactor permissions into separate module
* Add custom overrides for permission generators
* Add custom file download view, using the new embargo permission
  generator

* rename Keycloak remote app to "TU Wien SSO"

* the permission generators expect the presence of an argument that
  isn't currently being supplied, causing them to fail

* currently (december 2020), they are still not really functional;
  thus, we want to hide them from the users

* restrictively override the access permissions: allow record/draft
  creation only for admins
* update datacite account name

* set our new DOI prefix
* set values for Flask rate limiting
* increase file size limits for previews
* set values for current deployment (e.g. list of allowed host names)

Since TU Wien's Invenio-Keycloak is moving to Invenio-OAuthClient.contrib,
the required configuration has to be adapted