Analyze PASS authentication for institutional adoption

[rpoet-jh]

What?
Analyze the current PASS authentication to ensure it is adaptable to another institutional authentication system (IDM/SSO). The current authentication process relies on shib headers being present that come from the JHU IDM. We should ensure the headers are generic and not proprietary to JHU.

As part of this ticket, we should investigate OrcID OAUTH mechanism to see if it can be used as an example of an alternative authentication.

Keep in mind, Users are created via the grant loader with an employee ID and institutional ID locators. When a user logs in, PASS will use the header values from the IDM to try and lookup the user in PASS. If it finds a match with either the employee ID or institutional ID locator, it will update the User in pass with additional locators. If it finds no match, PASS will create a new User using the header values.

Why?
Another institution will most likely have a different SSO/IDM system that will be used to authenticate to PASS. We need to document what headers/etc. PASS requires for the authentication process.

How?

• Document what PASS requires from the authentication system to correlate/create the authenticated user in PASS.
• Investigate OrcID OAUTH mechanism to see if it can be used as an example of an alternative authentication.

Acceptance Criteria

• Documentation on how to configure PASS with another institution's IDM
• Working example using OrcID OAUTH for logging into PASS, if feasible

Related Issues

• Blocked by: Consolidate pass-auth and pass-docker reverse proxy functionality into pass-core #903

[rpoet-jh]

@markpatton Please review the description of this ticket and make any updates needed.

[markpatton]

There is some existing documentation about auth here: https://github.com/eclipse-pass/main/blob/main/docs/dev/authentication-authorization.md