Enable the use of OIDC / OAUTH2

[stuwilkins]

This is likely more of a feature request, but wanted to post to see if there is any interest in this, and potentially contribute.

Is there interest in also enabling OAUTH2/OIDC authentication? At NSLS-II we are moving most (if not all) our auth from LDAP / Duo Auth Proxy over to using OIDC/OAUTH2 as it enables both single sign on and the use of REST APIs via OUATH2 which makes integration with other systems very easy and allows M2M a bit easier.

Any plans across the current contributors / maintainers?

[jacomago]

I think generally we want this. I know @georgweiss intended to look into it. But we have no timeline. We of course would accept contributions!

[georgweiss]

Yes, we'd like to use OAuth2 in other Phoebus services. That said, actual implementation may (will?) depend on the the clients expected to authenticate. For instance, the save&restore service does not have a browser client. On the other hand, the Olog service has both a browser client and a client integrated into the Phoebus desktop app.

All in all I am not quite sure yet on how to best support OAuth2 in a manner generic enough to suit all use cases.

[jacomago]

@georgweiss This is actually one of the more complicated cases as well (most of them are complicated in controls I think). I think we would want a client application token for recceivers to connect to channelfinder, but then oauth2 for phoebus to channelfinder at the same time.

[georgweiss]

@jacomago , not entirely sure about how feasible it would be, but I'd maybe propose to offload the Phoebus service clients from dealing with OAuth2 tokens it manages. Instead, the Spring Boot service could manage "classic" session tokens and map them to the OAuth equivalents. This way, when an OAuth token expires, the client would not need to manage refresh but instead rely on the service to do it.