[FEATURE] Handle the edge cases of On-behalf-of Authentication

[RyanL1997]

Problem

Since the OBO Token can perform on behalf of another user, it is necessary for us to frame the usages of this token.

• Relate [META] On-Behalf-Of Authentication #2573

Goal for closing this issue

**Implemented functionalities **

• OBO Token cannot be used to issue another OBO token
• OBO Token cannot be used to change the passwords

Follow up work of refactoring

• Transfer the checking logic into individual functions [2] (e.g. a util class?)

Reference

[1] : https://github.com/opensearch-project/security/pull/3179/files/b31555926c59aafe9a310d64918002b91d51c676#diff-0550f691677d70fb9da2b6d5baf7d342bc670e0618a8598a259117818cb66f86R230
[2] : #3179 (comment)

[DarshitChanpura]

[Triage] Thanks for filing the issue.

[peternied]

Capturing comment from the pull request, [comment]

I'm struggling to think what the correct criteria is for these restrictions, while the issue has called out the OBO tokens creation API, I think we should articulate the criteria for something to be acceptable vs not acceptable first. Lets try to build consensus around this idea first before implementing restrictions so we can be consistent.

What if instead of denying permissions to different APIs system, what if instead only let you create OBO tokens that expire at latest when the currently OBO token expires. This prevents the 'no expiration' in a more 'logical' way than the permissions denial.