ref-doc: Roadmap to Production checklist

[sjohnr]

A "Roadmap to Production" (or similar) page in the docs will be helpful for outlining the types of concerns (checklist) necessary when going from "Getting Started" all the way to production. Some topics to be covered include:

• Using a persistent implementation of RegisteredClientRepository, OAuth2AuthorizationService and OAuth2AuthorizationConsentService
• How the choice of authentication mechanisms and persistence affects the architecture (e.g. sub-systems used, shared database, etc.)
• Session management on the server including distributed sessions, session affinity/stickiness and scaling

It might be helpful to also include considerations for Spring Security-based clients as well. Additional topics to be covered could include:

• Using a persistent implementation of ClientRegistrationRepository, OAuth2AuthorizedClientRepository and OAuth2AuthorizedClientService
• How the choice of authentication mechanisms and persistence affects the architecture (e.g. sub-systems used, shared database, etc.)
• Session management on the client including distributed sessions, session affinity/stickiness and scaling

Some additional topics to cover might include:

• Testing with real architecture components and setup

[vgaborabs]

I know this is a rather subjective matter, but it might also be helpful to provide some information and best practices regarding user registration and user management (for a user's own account as well as administration of all users' accounts) as these will surely come up in almost any scenario and poorly designed mechanisms could result in pretty leaky boats. I am by no means a security expert but as far as I understand these concerns should be kept tightly within the IdP.