Metaissue: Runtime API Auth

[PeopleMakeCulture]

Phase 1: User can access runtime API with ORCID

• https://github.com/microbiomedata/nmdc-runtime/issues/333
• the runtime will allow for an additional auth mechanism where an ORCID JWT token can be passed in and validated (I think OpenID fits into this nicely). This would map to a user identified by their ORCID id
• We will continue to support Client ID / Client Key based authentication for workflows and non-ORCID based agents
• We don't need to use the ORCID access_tokens because those are for accessing ORCID services

Phase 2: Consolidated ACLs (Access Control List)

• https://github.com/microbiomedata/nmdc-runtime/issues/310
• Users, sites and _runtime.api.allow should be consolidated, and site functionality deprecated. Everyone is just a user and will either come in via orcid or client id/key. No more sites, just separate users if we need different workflow agents etc.
• Similarly admin access will be managed in the same mongo (Users) collection.

Phase 3: Refine

• We may also want to set lifetimes on orcid tokens - this should be do-able using OpenID Connect.

[ssarrafan]

Last day of sprint. Removing from sprint. Adding backlog label.

[dwinston]

See #310 for simplifying permissions with user agent and roles models

[PeopleMakeCulture]

See #428 for single-click ORCiD sign-on

[PeopleMakeCulture]

See #429 for user identity resolution

[turbomam]

As part of this refactoring, can the user help in the Swagger Authorize button be updated? For example, could it say which authorization method supports the use of an ORICID, and what the flow is in terms of entering the ORCID (and whetehr it should be a bare ID or should include the prefix), being redirected to another page, copying a token, and then pasting that back into the Swagger Authorize dialog?

I know we have been given walk-throughs on this, but I'm just wondering if there is some documentation or videos I can refer back to. If not, it would be nice to have some hints in the Swagger Authorize dialog.

[PeopleMakeCulture]

@turbomam Addtnl documentation is a good idea--I will add some in. Thanks for the suggestion! Progress tracked in #428