Improve Ballerina authn & authz configurations

[ldclakmal]

Description:

Design

• Authorization logic is currently limited on the scope attribute in every authentication mechanism (Basic Auth, JWT, OAuth2, LDAP). We need to improve this current ABAC approach providing the flexibility to user to build up own logic of authorization without limiting to the scope attribute we have now. But, from an implementation perspective, we must think carefully about how we can make it generic against all the authentication providers we support now, and we are yet to support. Also, apart from "static values" of the given attributes, we may have to consider how we can handle "dynamic values" of the given attributes, which may be used for authorization decisions.

• Authorization cannot bind for the each auth handler. Currently the defined values for the scope attribute are applied for all the auth handlers plugged into the listener, service, or resource.

• Need a way to identify from which auth scheme / provider, the authentication was success.

• Need a mechanism to post engage auth providers for authentication with AWS, OAuth1.0a etc.

Configurations

• The scope pattern attribute type defined with string[][], cannot define the following pattern. (a AND b) OR (c AND d).

• Need the capability to enable/disable and set the array position of authn & authz filters separately. Add config to disable authz filter [1.2.x] ballerina-lang#22109

• Need to provide better configurations for auth handler engagement when the position field is configured.
  If it is needed to engage filters in order filterA, authnFilter, filterB the config would be as follows. This is misleading.

listener http:Listener l = new (9090, {
        filters: [filterA, filterB],
        auth: {
            authHandlers: [jwtAuthHandler],
            position: 1,
            mandateSecureSocket: false
        }
}