feat(core-api): pluggable authentication - Open ID Connect

[petermetz]

Is your feature request related to a problem? Please describe.
Yes, we don't have authentication between clients and the Cactus API at the moment.

Describe the solution you'd like
We need a pluggable authentication layer that's flexible enough to handle federation among a set of identity providers (consortium members who run their own Cactus nodes joined together into a consortium).
Resource providers would be the Cactus API and the ledgers they connect (open to rephrasing this if someone have different ideas on terminology/concepts).

It's important that through the existing web service plugin mechanism people can write their own authentication plugins as well.

As usual, all of this must be configurable dynamically so that its testing can be fully automated as well which implicitly enables the creation of much simpler examples as well when there are no or very few manual steps involved.

Describe alternatives you've considered
Also looked into SAML, but ideally we'd want something that's designed from the ground up to work with authentication clients from browser and also mobile environments. SAML is good but it's a little rusty when it comes to native/mobile web authentication flows.

Additional context

I already started working on this in my fork in the form of a web service plugin that can be enabled on the API server through configuration.
Finer details are not fully clear yet but will be easier to iterate once we have a baseline established. Expect PR to drop soon.

cc: @jonathan-m-hamilton @sfuji822 @takeutak

[petermetz]

Note to self: Extending the scope of this: Instead of having the authentication just for end user's we will also need it for administrative purposes. As an example a specific OAuth2 scope should be successfully claimed in a JWT before before a request to deploy a contract to a ledger through a connector can be executed.
For an enterprise deployment scenario I would imagine the most common would be some federated scenario where the identity provider is an external system to Cactus the the enterprise has been maintaining prior to the deployment of Cactus itself.

[petermetz]

We have JWT support now so full OIDC support is a little lower on the priority list.