Hi, as some of you might have noticed with my last commit so please take this mail as a heads-up. I am on the road to introduce extensibility for the authentication and entitlement in Openwhisk.
The changes are motivated by the need to integrate Openwhisk tighter into an existing (but unfortunately partly proprietary) identity and management system used in the IBM cloud. The first change will be to introduce an SPI to exchange the existing EntitlementProvider with an alternative implementation. Since the EntitlementProvider already is implemented like a SPI-like interface this change is very straightforward. The authentication changes will address two areas. First the REST API will be enabled to read other authentication formats and tokens (e.g. bearer tokens), second there has to be the ability added to pass different authentication information to the user actions. I plan to address this with introducing an SPI to swap the AuthorizationDirective in the RestApi and adding a mechanism to transport variant information in the authentication key to the invoker. All changes are designed to be transparent to the existing authentication and entitlement implementations using the subject db. I will open pull request for all these changes in the next days. Feel free to comment now to this mail or later to the pull requests. Kind regards, Martin
