[JWT] New authentication endpoint for JWT

[jsoriano]

Provide a new authentication endpoint POST /api/fleet/authenticate that can be used to obtain JWT tokens.

This endpoint should accept as valid credentials: current API keys, JWT access tokens and refresh tokens.

JWT access tokens are JWT tokens with the following claims:

• Iss (issuer): A unique fingerprint of project or the signing key.
• Sub (subject): The Agent ID associated with the given API key.
• Jti (JWT ID): Unique ID for the token, generated randomly.
• Exp (expiration): Expiration time, in seconds after Unix epoch.

Additionally, refresh tokens should be emitted. Refresh tokens are just randomly generated strings. They are intended to have a single use, to be used when the JWT access token have expired.

When emitted, Fleet Server should store in the .fleet-agents the JWT ID, and a hash of the refresh token. Rotation must be persisted only after the agent uses the new key, to ensure that they have been received.

Generated tokens are sent to the client as part of the response using HTTP headers.

Whenever possible, reuse existing libraries, such as go-oauth2.

Requirements:

• Settings for JWT:
  • Enable/disable JWT.
  • Expiration of JWT access tokens.
• Generation of JWT access tokens.
• Generation of refresh tokens.
• Telemetry about the tokens emitted and the time to emit them.