Implementing alternate long term authentication solutions

[robbiet480]

Once some form of #68 gets implemented it won't make much sense to continue using a username/password combination for authentication. Even without #68 being implemented, username and password authentication usually is not the most secure or stable way to authenticate.

I'd like to gather feedback about implementing some form of two way handshaking between Distributor instances to allow for easier initial setup (only having to configure connections from one side, assuming the other side has "allow new connections" set) as well as long term authentication to the REST API using exchanged tokens specific to a single Distributor install instead of username/password. My personal recommendation for token management and authentication would be a forked version of the JWT plugin but instead of generating tokens from username/password, it would generate tokens if a proper request was presented from a previously authorized (via the initial setup handshake) request.

A lot of the groundwork for alternate authentication styles was completed via #58, my initial research shows a new authentication style should pretty much be drop in. I'm not necessarily suggesting username/password auth is even removed quite yet, i'm just looking for an alternative to be provided.

[jeffpaul]

Note that there have been discussions (see related REST API office hours chat archive) about adding a REST JWT Auth plugin to WordPress core. It may be worth waiting to see how that pans out and leverage that instead of rolling something unique/specific to Distributor.