Auth client that wraps authn and authz

[arvindh123]

• Extract all the common things (kinds, types, relations, permissions, gRPC client...) in a lib. The library could encapsulate gRPC call directly to the SpiceDB (no auth svc before) in some cases (things, where you don't need to process token; but you need access to Redis).

• Create a wrapper for PolicyCRUD that currently communicates with the Auth service. #2403

• Replace policy gRPC client in policy CRUD wrapper with direct communication with SpiceDB. #2404 In PolicyCRUD wrapper, replace the Auth service and make it direct communication with SpiceDB.

• Feature: Create wrapper for Authn/Authz #2410 Create wrappers for Authn/Authz, and then move Auth to middleware.

• Move Auth to middleware in Users Service .

• Move Auth to middleware in Things Service .

• The Authn/Authz wrapper should use JWT for user authentication. For thing authentication, it should verify with the things service via gRPC.

[dborovcanin]

This is related to #2264. In #2264 the idea is to create separate gRPC APIs for policy CRUD, AuthN, and AuthZ, and in this one, the idea is to have the abstraction for those clients so that we can either call Auth service gRPC APIs or SpiceDB directly.
@arvindh123 Please doublecheck if we need all 3, or if we can have only CRUD and Auth APIs.

[arvindh123]

After this PR #2392 merged
We need to have kind of client on top AuthService and PolicyService gRPC Client

And I'm think of like having Authentication and Authorization in single place, i.e in AuthService for both users and things.
In this method, AuthService will communicate with users and things via gRPC to verify user password or thing key (Authentication) and then proceed with spiceDB for Authorization.

[arvindh123]

@dborovcanin's idea , Services like Users, Things, Bootstrap, etc.. will import the "Policy Service" and "Auth service" as library in their code. Service don't know about how these libraries are connected to "Policy Service" or "Auth Service".

If we want to achieve this, one of the way is , we need add wrap above the existing gRPC client.

But I'm not sure about approach for "Policy Service" , Because the Policy Service library can either directly connect to SpiceDB or it can connect to Auth Service , where auth service act like proxy to SpiceDB

[arvindh123]

Create wrapper for PolicyCURD alone, at present wrapper can communicate to Auth service.

In next PR replace Auth service in wrapper to SpiceDB.

Same way we need wrap for Authn/Authz and then Move Auth to middleware, It should impalement service by service , (Individual service in one PR )

Then wrap Authn/Authz wrapper can use JWT for users Authn and for things Authn ,it can verify with things service via gRPC.

[dborovcanin]

This is the absolute priority for the following sprint. It is blocking development related to constraints, PAT, but also restructuring the whole svc layer. @arvindh123 Please create follow-up tickets and use this as an umbrella task for this initiative.

[dborovcanin]

This is an umbrella issue for a couple of tasks. Only the JWT part is reamining and there is a corresponding issue, so I'm closing this one.