Support Alternative Federated Identity Providers

[ashleythedeveloper]

The current STUF implementation assumes Keycloak as the sole Identity Provider, with configuration, documentation and code paths tightly coupled to Keycloak. To support broader adoption and integration within enterprise environments, STUF must allow the use of alternative standards based federated identity providers such as AWS Cognito, Azure Entra ID and others that implement OIDC/OAuth2.

This ticket captures the requirement to introduce a more provider-agnostic authentication/authorisation layer, reducing hard Keycloak dependencies and enabling pluggable IDP configuration.

Acceptance Criteria:

• STUF authentication/authorisation architecture is updated to support any OIDC-compliant IDP
• Keycloak-specific assumptions in configuration, code and documentation are identified and removed or isolated behind a generic interface
• Provide a configuration pattern allowing selection of an external IDP without code modification
• Basic documentation describing how to configure STUF with at least one alternative IDP (for example AWS Cognito or Azure Entra ID)
• Existing Keycloak usage continues to function without regression