Spike: Authentication and RBAC solution for Console

[graikhel-intel]

Description

Console currently provides a simple username and password based authentication mechanism configured through config.yml.

This spike explores how Console can support authentication and role-based access control in a way that integrates with customers' existing identity providers, RBAC systems, and security tooling.

The goal is not to introduce or bundle a specific authentication platform, but to define how Console can integrate with common enterprise authentication systems (for example OIDC/OAuth2 based identity providers) and enforce role-based access to Console APIs and UI functionality.

The solution should also ensure that Console remains simple to deploy for standalone installations on Windows and Linux, without requiring additional infrastructure such as Docker or Kubernetes.

Some of the role requirements below were raised in the following open issue: #701

Console should support the following user roles:

Admin Users

• Full access to Console
• Can add and delete devices
• Can view and manage AMT information
• Can access all device details and administrative controls

Normal Users

• Can restart devices
• Can power devices on or off
• Cannot view AMT information or detailed device data
• Cannot add or delete devices
• Cannot access administrative functions

Endpoint Users

• Can view AMT information and device details
• Cannot restart, power on, or power off devices
• Cannot manage devices
• No access to administrative controls

Open Questions

• What authentication standards should Console support to integrate with enterprise identity providers (OIDC, OAuth2, etc.)?
• How should authentication tokens be handled for Console APIs and UI flows?
• How should APIs be designed so only authorized roles can access specific endpoints?
• Should authorization checks be enforced at the API layer, UI layer, or both?
• How can Console integrate with external identity providers without requiring additional infrastructure for simple standalone deployments?
• What deployment options exist for enterprise customers who want a simple setup without Docker/Kubernetes?

Acceptance Criteria

• Define how Console can integrate with external identity providers.
• Define how role-based access is enforced for Console APIs.
• Document the proposed authentication and RBAC architecture.
• Identify follow-up implementation work if changes are required.
• Should authorization checks be enforced at the API layer, UI layer, or both?
• What deployment options exist for enterprise customers who want a simple setup without Docker/Kubernetes?