Authentication for all platform environments

[tumido]

Related: #30

[durandom]

We can aggregate them via Keycloak if we want to - offering choice from all the options.

If we aggregate via Keycloak, do we need to maintain a mapping? Right now we have email addresses in our RBAC configs. Is that the ID that keycloak/OCP would use to map a user? How about ID collisions?

[tumido]

@durandom Keycloak can provide various way how to map users if we enable multiple identity providers. It's a pretty mature project so this should be easy to solve. I can prepare a PoC to demonstrate this linking. Usually the emails are the best ID that is transferable across many ID providers, so it make sense to use it as the primary identifier.. However we can try to override that mapping and user GH usernames instead (forcing users to log in via GH on the first login).

I would vote against user option to change usernames, since that would make the ID conflicts possible.

[billburnseh]

Changed assignee as Tom appears to be working this.

[HumairAK]

@durandom can you run pre-commit on this pr? https://github.com/operate-first/apps/blob/master/contributing.md#tests

Also, can you rename the adr to the next number as we already have an adr 15

[tumido]

Since I'm assigned to this and we want to make it fast, I'll update the PR

[HumairAK]

@tumido can you also update the links to the proper format, the brackets are reversed

[4n4nd]

/retest

[tumido]

changes applied. :slightly_smiling_face:

[HumairAK]

/lgtm

[sesheta]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tumido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/operate-first/blueprint/blob/main/OWNERS)~~ [tumido] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment