SDK-2767: Support central auth tokens

[mehmet-yoti]

Automated PR created by n8n. Related Jira Issue: SDK-2767

[mehmet-yoti]

@copilot do To implement support for the new Central Auth system in the SDKs, we need a structured plan to ensure compatibility and flexibility for integrating and transitioning from the current signed-request authentication to the new token-based system. Below is a detailed implementation plan broken down into key tasks and subtasks:

Implementation Plan

1. Requirements Analysis

• Review Yoti Central Auth Documentation: Gather and understand the specifications for the new authentication mechanism.
• Identify Existing SDK Capabilities: List current SDK features related to authentication for seamless integration with the new system.
• Define Token Lifecycle Management: Discuss and determine the policy for token generation, renewal, and expiration handling.

2. Design Phase

• API Changes Design: Document the changes needed in the SDK API to support both signed-request and token-based authentications.
• Auth Strategy Selector: Design a mechanism for Relying Businesses to select and switch between authentication schemes.
• Authorization Header Integration: Plan how the Authorization header will be injected into requests using the provided authentication tokens.
• Backward Compatibility Strategy: Draft a strategy to maintain compatibility with the existing signed-request authentication system.

3. Development

• Create Auth Module for Central Auth:
  • Implement token generation, validation, and expiration handling.
  • Develop functionality to read and apply the selected authentication scheme.
• Integrate Auth Strategy Selector:
  • Add configuration settings allowing Relying Businesses to choose their preferred authentication method.
  • Implement logic to switch between signed-request and token mechanisms.
• Authorization Header Implementation:
  • Update HTTP request building logic to include the Authorization header derived from the token authentication process.
• Testing Framework Update:
  • Develop unit and integration tests to validate both authentication methods.

4. Documentation

• Update SDK Documentation:
  • Add comprehensive documentation covering new auth mechanisms, configuration settings, and migration guidelines.
• Developer Guides and Examples:
  • Provide examples illustrating how to switch between authentication methods and use the new token-based system.

5. Testing and Quality Assurance

• Unit Testing:
  • Thoroughly test new auth modules to ensure robustness and error handling.
• Integration Testing:
  • Validate end-to-end SDK functionality with both auth systems in a real-world environment.
• Performance Testing:
  • Assess if the introduction of Central Auth affects performance and optimize as necessary.

6. Deployment and Support

• Release Strategy:
  • Plan a phased deployment, initially offering both auth methods before potentially phasing out signed-request in the future.
• Client Support and Feedback:
  • Communicate changes with existing Relying Businesses and offer support during the transition.
  • Collect feedback for future improvements.

Discussions and Open Questions

• Token Management: Determine policies concerning automatic token renewal and the extent of SDK responsibility over token lifecycle management.
• Deprecation Plan: Discuss long-term plans for deprecating the signed-request mechanism once Central Auth is adopted.

This detailed plan covers all the necessary aspects for implementing the Central Auth system in existing SDKs, ensuring a balanced approach that accommodates both new and existing authentication needs.

[Copilot]

@mehmet-yoti I've opened a new pull request, #386, to work on those changes. Once the pull request is ready, I'll request review from you.