Implement a JWT auth provider #1816
Description
Is your feature request related to a problem? Please describe.
In order to integrate R2R with other services or systems that may already have their own identity / auth mechanisms, it would be great to have a way for R2R to be able to accept, trust and verify JWT tokens issued by other auth systems.
Describe the solution you'd like
Create a JWT auth provider that allows R2R endpoints to perform auth using JWT bearer tokens issued by trusted other services.
Describe alternatives you've considered
The simplest implementation of this is synchronous verification (shared JWT secret). Other options include public/private keys, OAuth2 (make R2R a resource server), and OIDC (make R2R a relying party).
Additional context
Things to consider:
- How to configure the JWT secret. This secret is a sensitive piece of information that should be handled and protected appropriately. Disclosure of this secret could allow an attacker to craft arbitrary valid JWT tokens that the system would accept.
- How to create users if a token representing a user unknown to R2R is presented for the first time (also, updating users based on token claims)