Authentication methods to support

[konstjar]

We need to get rid of Authenticator component and to switch to something generic like Spring Security.
There is a need to support the following authentication methods:

• Local user (Local database). It will require user management (CRUD operations) through the UI.
• OpenID Connect
• SAML2
• Google IAP

[konstjar]

@ablack3 Feel free to provide your input on this based on your knowledge.

[dmitrys-odysseus]

As of spring-security 6.x, all the mentioned components are supported out of the box :
OpenID Connect - included in spring-security-oauth2-client / spring-security-oauth2-resource-server
SAML2 - Here are some examples
https://github.com/spring-projects/spring-security-samples/blob/main/servlet/spring-boot/java/saml2/custom-urls/README.adoc
The implementation looks quite advanced at a glance and supports proper logout.
IAP via spring-cloud-gcp-security-iap.
The latter is somewhat "nominal" implementation that needs some extra effort to be adapted to our case and so far I didn't spot any evidence it supports proper logout, but since IAP authentication is outside of the normal Authenticator API scope anyway, we are not taking a loss here.

Therefore, the target state is to use spring-security with standard extensions.

[anthonysena]

Let's link this to OHDSI/AtlasWebAPIRoadmap#5 with the idea that we leverage the same capabilities across the OHDSI stack where possible.