Determine how auth tokens are forwarded to Extensions

[davidlago]

With the security plugin, the auth token to be forwarded to an extension will be generated after successful authentication on a request destined for an extension. The actual request forwarding is performed in the extensions rest handler RestSendToExtensionAction. This handler needs to be able to obtain the generated token to forward to the extension.

[stephen-crawford]

We can use this: opensearch-project/OpenSearch#7452. The security plugin would implement the interface and then the Extension manager could pass everything into the RestSendToExtensionAction.

[cwperks]

[Triage] Assigned to @scrawfor99 . Please update with more details on what the initial interface will look like.

[stephen-crawford]

Overview of the interface:

PR opensearch-project/OpenSearch#7452, will introduce a new TokenManager interface to be used as a template for what an IdentityPlugin will expect any implementation to support. The TokenManager Interface defines five operations which are supposed to be implemented:

1. public AuthToken issueToken(): Issues a new AuthToken
2. public boolean validateToken(AuthToken token): Validates an auth token based on the rules associated with its format
3. public String getTokenInfo(AuthToken token): Fetch the info from a token
4. public void revokeToken(AuthToken token): Revokes a token that should no longer be treated as valid
5. public void resetToken(AuthToken token): Updates a token to be valid for a greater period of time or to have different attributes.

Each of the implementing methods are relatively straightforward. The only ones which may require complicated handling are token issuance and token revocation.

Issuing a token is likely to requiring overloading the method in some implementations of the IdentityPlugin. For example you may need to pass extension information to an IdentityPlugin for a new token to be created for that extension. At the same time, a key-based system could simply generate a random key with no information.

Revoking a token can also be complicated depending on the implementation. For example, you would not want to create a revocation list for a token that encoded BasicAuth information. Instead, you may need to erase the token to effectively disable it.

[stephen-crawford]

opensearch-project/OpenSearch#8679