api: add basic jwt support with required scope (#2624)

* api: add basic jwt support with required scope

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* api: only set auth_via when actually authenticating via token

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* save consented permissions in user consent, re-prompt when new permissions are required

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update locale

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* translate special scope map

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* more api auth tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* build web api in e2e tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* link generated client instead of copying

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

website/developer-docs/api/api.md

@@ -8,4 +8,18 @@ To generate an API client, you can use the OpenAPI v3 schema at https://authenti
 
 While testing, the API requests are authenticated by your browser session.
 
-To send an API request from outside the browser, you need to set the `Authorization` Header to `Bearer <your token>`.
+## Authentication
+
+For any of the token-based methods, set the `Authorization` header to `Bearer <token>`.
+
+### Session
+
+When authenticating with a flow, you'll get an authenticated Session cookie, that can be used for authentication. Keep in mind that in this context, a CSRF header is also required.
+
+### API Token
+
+Superusers can create tokens to authenticate as any user with a static key, which can optionally be expiring and auto-rotate.
+
+### JWT Token
+
+OAuth2 clients can request the scope `goauthentik.io/api`, which allows their OAuth Refresh token to be used to authenticate to the API.