Problem Statement
Satellite currently supports several authentication mechanisms:

• internal username & password
• internal username & personal access token
• oauth 1 (only for internal use)
• JWTs for host registration
• LDAP
• integration with external identity providers (IdM, AD, Keycloak)

OAuth2.0 is a modern standard, that provides a unified, industry-recognized framework for delegated authorization. Unlike Personal Access Tokens (PATs), which are often long-lived and over-privileged, OAuth 2.0 allows for granular "scopes," automatic token expiration (refresh tokens), and a "Handshake" flow that prevents users from ever having to share their primary credentials with third-party integrations.

User Experience & Workflow

We should more or less mirror what AAP does AAP - Token-Based Authentication

Requirements

• Integration of a provider library (e.g., Doorkeeper) into the Rails core to manage applications and tokens.
• Implementation of initial scopes by mapping existing permissions (and roles?) to restrict tool access.
• UI/API/CLI for management of OAuth 2 applications and tokens
• (optional) Removal of OAuth 1

Business Impact
Implementing OAuth 2 would benefit us by:

• allow issuing scoped tokens instead of PATs we have now
• making it easier to integrate Satellite with 3rd party tooling (such as MCP servers)
• allowing us to drop some of the authentication methods which are rather dated at this point