Add DPG: Boxtribute (10896)

[dpgabot]

Public Link : https://app.digitalpublicgoods.net/a/10896

[ricardomiron]

A previous renewal application was marked as ineligible because clarifications where not submitted on time - https://app.digitalpublicgoods.net/a/10565 / PR #1607

[ricardomiron]

Requested clarification:

1. The project depends directly on Auth0, e.g. - https://github.com/boxwise/boxtribute/blob/master/docs/adr/adr_auth0.md - https://github.com/boxwise/boxtribute#authentication Auth0 is a certified OpenID Connect provider, you should use the ODIC standard, instead of relying directly on the Auth0 offering to be able to comply with platform independence requirements.
2. Authentication (Authn) is offered by an ODIC Identity Provider, but it seems there is also a dependency for Authorization (Authz) on how Auth0 models the permissions. Is this correct? https://auth0.com/docs/manage-users/access-control/rbac#rbac-model
3. Can the use of Auth0 be swapped by other open source solutions like Keycloak? https://github.com/boxwise/boxtribute/tree/master/back#authentication-and-authorization

Response:

A question regarding our dependency on Auth0 was referenced in our previous application (#10565). As you note, we could in principle switch the implementation to use a generic OIDC library instead of specifically using Auth0 libraries, most likely via Link in the case of our PHP app. For authorization, we utilise Auth0's role based access controls (RBAC) and push both roles and role assignments to Auth0. Unfortunately there are no RBAC standards for syncing these to our knowledge and as such, these would always be more tightly coupled to the provider. Given Keycloak also supports RBAC and has an API, we currently see no reason why in principle our implementation could not be adapted to do so.

[ricardomiron]

@kagaba please provide further support on how to create a patch or fork where they implement a generic OIDC library instead of specifically using Auth0.