Create design for user and machine auth

User Story:

As ReportStream, I should have a documented long-term strategy for authorization and authentication for both user->RS and machine->RS interfaces.

Description/Use Case

Presently, ReportStream implements the two-legged auth approach specified by FHIR. This is not up for discussion. What is, however, is the following:

Where do we store the JWKs (keys) for this type of auth. This is currently stored in the RS database as part of the Organization in the settings table. It would probably be better if we had a third-party app manage this for us (like keycloak)

Presently, RS uses SimpleReport's instance of Okta for user auth. There is current work ongoing to move RS to its own Okta instance, but should that be the long term solution? Jim's discussion with Boris can be found below, and will need to be investigated.

Boris (Yu Ning) from the CD recommends we take a look at Keycloak for our Identity Provider. Then he suggests using [Login.gov](http://login.gov/) for identity proofing, either via
ReportStream -> Keycloak -> SAMS -> [Login.gov](http://login.gov/)
or maybe
ReportStream -> Keycloak ->  [Login.gov](http://login.gov/)

Mo's thoughts: https://cdc-my.sharepoint.com/:w:/r/personal/qva8_cdc_gov/Documents/Authentication%20Enhancements%20for%20ReportStream.docx?d=wdb87f60aca0e4f8394c998d8ec0d6d7f&csf=1&web=1&e=mxZ6ve

Arnej's thoughts: Seems like this tutorial would be a good start, should look through this and then discuss with Nava's login.gov team: https://www.baeldung.com/spring-cloud-gateway-oauth2

Risks/Impacts/Considerations

Dev Notes:

Check in with Rick Hawes
Check in with DEX (who has hired IBM to do something similar)
Check in with Flexion

Acceptance Criteri

[ ] Auth architecture/strategy designed.
[ ] Reviewed design with Boris from CDC
[ ] Reviewed design with Peter from Flexion

CDCgov / prime-reportstream