Authentication, authorization and identity

[miceg]

I'm evaluating alternatives to GeoServer for a geographic data store.

I see there's a feature request about adding CRUD operations (which would be nice for my use case), but not a lot about authentication and authorisation, which become more significant with writable data stores.

What I'd like to have with that is:

• ability to disable anonymous access to collections, or only provide anonymous access to a subset of collections
• restrict availability of collections to certain users / groups
• don't show collections to users who don't have access in collection lists (/collections/)
• restrict write access to collections to certain users, and only advertise it to users who have that access
• be able to rewrite mutation operations, so I can attribute changes to a user and/or IP (to work with PL/SQL history triggers - similar to GeoServer's features-autopopulate plugin)
• use OIDC for federated authentication

There are some other things that could be nice to have (though probably not for me):

• per-item/feature (ie: row-based) access controls
• write-only layers, which could allow a user to put a feature into a "drop box" for review (and later publishing)
• delegate ACLs to an external system (with change control) which can be "deployed" to tipg
• using end-user credentials (like a JWT) to access data stores, so that tipg itself doesn't need its own access, and ACLs can be moved to the data storage layer