Accept JWT authentication for agents

[afandian]

Every Event must include a JWT token. This should be used to authorize the Events.

• Allow configuration of more than one Token so that more than one party can authorize Agents
• Send appropriate HTTP response when the Event fails due to authorization

Tokens should claim at least:

• the source ID of the Agent
• the issuer (DataCite or Crossref)
• the source name

By including the source ID, we allow the Agent to issue subsequent modify stored events for Compliance reasons.

[mfenner]

I like the idea to put the message_envelope into a JWT token, but I am not sure whether this should include source name. Will the token be encrypted?

[afandian]

To clarify, we have two things

• source token, which is a GUID, in the envelope. This is public and identifies the agent
• authentication token in the HTTP headers. This is secret and authorizes the agent.

I am suggesting that we use JWT for the authorization token. This includes claims for the source token.

I included the source token in the claim in the header so that an Agent has the authorization to delete an Event in future, see #6. The downside is one token per Agent or we make tokens with multiple claims.