Need authorization without authentication

[pantaoran]

Feature or Problem Description

In my enterprise environment, we have Apicurio running behind an API GW. The gateway takes care of authenticating the user in a standardized way (we can choose between different methods and decided for OIDC client credentials) and forwards the authenticated identity (JWT token in http header) to Apicurio. What I want: Apicurio should take that authenticated identity and make authorization decisions based on it, without trying to perform its own authentication.

Proposed Solution

Reading the Apicurio docs, it seems like authentication and authorization are tightly coupled. To achieve owner-based access control (OBAC), I need to either integrate Keycloak or Azure AD, but both solutions would first perform their own authentication. My wish is to have a possibility of decoupling. I already have authentication solved in the API gateway, so I don't want Apicurio to do that again.

Additional Context

In the version 2.5 of Apicurio there is a basically undocumented feature called multitenancy. This seems to fulfill my needs well, but unfortunately it is being removed in v3.0. Now I'm wondering what to use in the future.