Authentication via keys or tokens

[joshkoenig]

Terminus currently authenticates using the same HTTP service as the dashboard, which has a number of shortcomings:

• Incompatible with 2FA (Support 2-factor Authentication #279)
• Unfriendly to automation (As a developer, I would like to authenticate with my SSH key rather than my dashboard password with the CLI #118)

Implementing an alternative authentication mechanism will require work on the platform side, but we have to go down this path to support all our users.

[joshkoenig]

I graphed up a little diagram of out I think the authentication flow would work for a user.

The flow would be like:

1. User issues the terminus setup command.
2. This prompts them for their account email address, password, and "app label" (defaults to "terminus on (local machinename))
3. This POSTs to Hermes, which authenticates the request and gets Pantheon PKI to generate a new x509 certificate for the user.
4. That cert is returned to the client, where it's stored on the filesystem in a default path for subsequent requests.
5. On the dashboard, the certs issued can be viewed by date and label.
6. Dashboard allows you to re-label (for sanity), as well as re-download and revoke certs.
7. Dashboard also allows you to generate a new cert (e.g. for doing CI work)
8. Terminus can take a command line flag (e.g. --identity-cert=/path/to/identity.pem) or read some configuration option to use a cert other than the one in the default location.

[TeslaDethray]

This is being addressed with the Auth0 implementation. Closing.