[DEV] Add an OIDC/JWT issuer in order to support Authentication and Authorization

[alexlovelltroy]

In order to be useful for the teams as part of the Supercomputing Institute, ochami must support both authentication and authorization sufficient to keep each team in their own sandbox. RFD #11 covers how authorization must be handled with JWTs. In order to enforce authorization, we also need a system and method for authenticating users and creating narrowly scoped tokens.

[davidallendj]

This is completed for SMD with this commit. Do we want to implement this for any other microservice before SI?

[alexlovelltroy]

Reassigning this to @davidallendj

We've been having a lot of discussions about hydra/authelia/keycloak and which oauth flows to support. At this point, we are leaning towards using hydra, possibly with kratos and supporting the Authentication Code Flow with PKCE as described in https://datatracker.ietf.org/doc/html/rfc7636.

We probably need a design document or blog post that describes how this works. It's not clear to me that our exploration has gotten us to a point where we're confident in our direction so we can delay that work for a bit.

Authentication and Authorization Straw Man

• As an administrative user, I would like a way of creating a set of users as I install my system by specifying identity information including ssh public keys but not passwords so that we can bootstrap ssh access as well as JWT-based authentication
• As an administrative user, I would like a way to choose which users may create or use administrative tokens for my system and change my mind over time so that I can grant nice people access and deny access to mean people.
• As an administrative or cluster user, I would like to be able to easily use the refresh token flow to maintain a usable token without having to re-authenticate too often.