[Chore] Evaluate penguin-aaa for authentication layer #70
Description
User Story
As a maintainer, I want to evaluate whether penguin-aaa can replace or supplement Elder's custom Flask-Security-Too authentication so that auth/authz follows the standardized OIDC claims/scopes pattern.
Background
Elder currently uses Flask-Security-Too with custom auth code in:
apps/api/portal_auth.py— Portal authentication serviceapps/api/services/auth/— Auth services- Custom JWT handling and role-based access
penguin-aaa (pip install penguin-aaa) provides:
OIDCProvider/OIDCRelyingParty— OIDC identity managementClaims,TokenSet— JWT/OIDC data typesKeyStore— Key management- Flask middleware for auth/authz
- SPIFFE/SPIRE support for service-to-service auth
- Audit logging
Per security.md: "ALL permission checks MUST be based on OIDC-style claims and scopes."
Acceptance Criteria
- Evaluate penguin-aaa v0.1.0 API surface against Elder's auth requirements
- Document gaps between penguin-aaa and current Flask-Security-Too setup
- If viable: migrate auth to penguin-aaa with OIDC claims/scopes
- If not viable: document what penguin-aaa needs before migration is possible
- Tenant isolation maintained
- MFA support preserved
- All existing API auth flows work
- Tests pass (unit + integration)
- Security scan passes
Notes
- penguin-aaa is v0.1.0 — may not be mature enough yet
- Flask-Security-Too is well-tested and working — only migrate if penguin-aaa is clearly superior
- This may be a partial adoption (e.g., use penguin-aaa middleware alongside Flask-Security-Too)