Feature/tokensmith auth

[alexlovelltroy]

Description

This pull request introduces a new, pluggable authentication system for SMD, allowing selection between the legacy JWT backend and a new TokenSmith-based backend. It adds new startup flags and environment variables for authentication configuration, improves logging for authentication failures, and refactors authentication initialization and verification logic for clarity and extensibility. Documentation is updated to describe the new authentication options and runtime behavior.

Authentication system improvements:

• Adds support for two authentication backends: the existing legacy backend and a new tokensmith backend, selectable via the -auth-backend flag or SMD_AUTH_BACKEND environment variable. The TokenSmith backend validates issuer and audience in addition to JWKS. [1] [2] [3] [4] [5]
• Introduces new flags and environment variables: -auth-issuer/SMD_AUTH_ISSUER and -auth-audiences/SMD_AUTH_AUDIENCES, required for the TokenSmith backend. [1] [2] [3]
• Refactors authentication initialization into backend-specific methods, with improved error handling and retry logic. [1] [2]

Middleware and route handling:

• Refactors route registration to use the new authentication middleware, ensuring protected routes are guarded according to the selected backend. [1] [2]

Verification and claims extraction:

• Refactors claim and scope extraction to support both backends, improving code clarity and making it easier to add future backends.
• Extracts scope parsing into a helper function that supports multiple claim formats.

Logging and diagnostics:

• Adds detailed logging of authentication rejections, including backend, HTTP method, path, remote address, auth header presence, scheme, and (for TokenSmith) expected issuer and audiences. [1] [2]

Documentation and dependencies:

• Updates documentation to describe the new authentication configuration, runtime controls, and backend options.
• Updates dependencies, including adding github.com/openchami/tokensmith and updating several libraries. [1] [2] [3]

Checklist

• My code follows the style guidelines of this project
• I have added/updated comments where needed
• I have added tests that prove my fix is effective or my feature works
• I have run make test (or equivalent) locally and all tests pass
• DCO Sign-off: All commits are signed off (git commit -s) with my real name and email

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update

---

For more info, see Contributing Guidelines.