feat(framework): Add authn abstraction layer

[msheller]

Issue

This is PR 1.2 in the AppIo Auth changes.

Changing authn mechanisms (e.g. token, signed metadata) and/or policy (e.g. which interfaces require which mechanisms) is too intrusive and bespoke, complicating implementation, review and testing of essential security code.

Proposal

Add a lightweight authn abstraction layer to seperate authn logic into:

1. mechanism
2. decision engine
3. method policy (i.e. RPC authn requirements)
4. identity (i.e. specific SuperExec or ClientApp)
5. authn material

This enables new mechanisms or policies with minimal change and makes reasoning and testing much simpler.

Explanation

Created a light-weight auth abstraction intended to simplify the next set of PRs. See internal RFC for abstraction details.

The mental model is:

• Transport layer = parsing + plumbing
• Auth layer = policy + verification + identity
• Servicer layer = business logic with authenticated identity

Checklist

• Implement proposed change
• Write tests
• Update documentation
• Make CI checks pass
• Ping maintainers on Slack (channel #contributions)

Any other comments?

NOTE: this solution version conflates authentication-mechanism policy with authorization policy: SuperExecs and *Apps are distinguished by authentication mechanism (token vs. signed metadata). While I believe this is okay for now, we should separate these concerns as soon as we add authorization complexity, or if we ever decide to support multiple mechanisms for a given process (i.e. if *Apps can use tokens or signed metadata).

[Copilot]

Pull request overview

This PR introduces a transport-agnostic authentication (“authn”) abstraction layer for AppIo services, aiming to separate mechanism handling, policy/decision logic, and identity representation to simplify future authn changes.

Changes:

• Added core authn primitives (auth input, caller identity, decision engine, and a token authenticator).
• Added method-level auth policy types plus validation helper for policy tables.
• Added constants and unit tests for the new authn layer.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
framework/py/flwr/supercore/auth/appio_auth.py	Adds the core authn domain model and decision engine, plus token mechanism implementation.
framework/py/flwr/supercore/auth/policy.py	Introduces method auth policy types and a helper to validate per-RPC policy maps.
framework/py/flwr/supercore/auth/constant.py	Defines shared mechanism/caller-type identifiers and metadata key constants.
framework/py/flwr/supercore/auth/appio_auth_test.py	Adds unit tests covering engine behavior, token auth, signed-metadata presence semantics, and policy table validation.
framework/py/flwr/supercore/auth/__init__.py	Exposes the new authn layer public API via package exports.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[panh99]

Could remove the plugin_type? It would nice to make the auth abstract agnostic to plugins.

[panh99]

General question: just curious, can this abstraction be applied to node authentication as well?

[panh99]

Could we remove signed_metadata_present? Or is there an case when signed_metadata_present == True and signed_metadata == None but still pass the check?