Design an authentication model and integrations

[lukeschafer]

AD/OAuth/etc.

What is the best method of handling authentication and authorisation? How should we modularise it and make it configurable?

[lukeschafer]

This is a hard problem as many implementations could impact the ability to deploy from the nuget package without modification, and SbManager doesn't currently have its own storage.

I was thinking that we could have an optional configuration for OAuth. Basically allowing you to configure an oauth provider, as well as things like shared secrets, scopes etc, and a JsonPath (or similar) claim check for 2 kinds of user - readonly and admin. If this configuration is on it would check for a JWT bearer token and verify it (if none, redirect to auth server). From there it will check your user type by running the JsonPath expression on the claim set.

This allows an auth model with roles that requires no persistence other than the app config, no dependencies other than some standard HTTP/OAuth packages, and uses industry standard methods to achieve it.