Add Authentication topic

Example and graphics contributed by @ojeker

Author: pka

README.md

@@ -1,5 +1,5 @@
-QWC2 Documentation
-==================
+QWC Documentation
+=================
 
 Published at [qwc-services.github.io](https://qwc-services.github.io).
 

qwc2.yml.in

@@ -24,6 +24,7 @@ nav:
             - Reports: topics/Reports.md
             - 3D View: topics/View3D.md
             - Translations: topics/Translations.md
+            - Authentication: topics/authentication.md
             - Interfacing with applications: topics/Interfacing.md
             - Multi-tenancy: topics/MultiTenancy.md
         - References: references/index.md

src/images/iam-diagram.puml

@@ -0,0 +1,38 @@
+@startuml
+
+package Identity-Management{
+    component "Authentication\nService 1" as as1 {
+        artifact "Private-Key"
+    }
+    component "Authentication\nService 2" as as2 {
+        artifact "Private-Key" as pk2
+    }
+
+    component "Map Viewer" as client {
+        artifact "ID-Token"
+    }
+
+    package Benutzer-Register{
+        database "IDP" as idp
+        database "LDAP" as ldap 
+    }
+
+as1 -- idp
+as2 -- ldap
+client -- as1
+client -- as2
+}
+
+package Access-Management {
+    component dataservice as ds {
+        component "Access-Manager" {
+            file permissions.json
+            artifact "Public-Key"
+        }
+        
+    }
+}
+
+client -- ds
+
+@enduml

src/images/iam-diagram.svg

@@ -0,0 +1,64 @@
+# Authentication
+
+## Authentication Service
+
+An authentication service uses a specific user identity store (e.g. DB, LDAP) or interacts with an Identity Provider (IdP) to confirm the user's identity. The service issues the JWT token, signs the token with a JWT secret key and transfers it to the web client.
+
+QWC provides several authentication services:
+
+- [Database Authentication Service](../../references/qwc-db-auth_readme/): Authenticates users against a database.
+- [LDAP Authentication Service](../../references/qwc-ldap-auth_readme/): Authenticates users against an LDAP server.
+- [OpenID Connect Authentication Service](../../references/qwc-oidc-auth_readme/): Authenticates users against OIDC providers like Keycloak, AD, etc.
+
+### Access management
+
+qwc-services-core library:
+
+  * Verifies the signature of the JWT token with the JTW secret key
+  * Ensures that the JWT token has not expired
+  * Extract permissions of a user from `permissions.json`
+
+QWC Service:
+
+  * Uses `qwc-services-core` to read the permissions of the current user
+  * Handles user permissions for certain resources (maps, layers, etc.)
+
+## Artifacts
+
+### JWT token
+
+Token with a common structure between different authentication services, which contains the user name of the user logged in to the IDP.
+
+The JWT token is usually transferred as part of the session cookie.
+
+### permissions.json
+
+Contains information about which users have read and write access to which layers.
+
+## IAM example
+
+![diagram.svg](../images/iam-diagram.svg)
+
+Using the example of the Map Viewer, the Data Service, and the Authentication Services, the diagram explains how identity and access management works in conjunction with the various components of the QWC.
+
+### Map Viewer
+
+Web GIS component running in the browser. Retrieves an JWT token from the Authentication Service for the user and then uses it when communicating with the Data Service. Retrieves a new token when the currently used token expires.
+
+Oauth2 role: Client
+
+### Authentication Service
+
+Issues the singed JWT token and returns it to the Map Viewer.
+
+Oauth2 role: Authorization Server (authentication part).
+
+Of the two tasks of authentication and authorization performed by an authorization server, the AS performs only authentication.
+
+### Data Service
+
+* Uses `qwc-services-core` to read the permissions of the current user.
+* Checks whether access to the layer is permitted for the user ID in the JWT token.
+* Then accesses the layer in read/write mode.
+
+Oauth2 role: Resource server