Spike: Migration guide from LB3 - Authentication & authorization

[bajtos]

In a follow-up for #3718, we should document how to migrate Authentication & Authorization features from LB3-style to LB4. Let's write an outline of a migration guide for LB3 users - an initial "seed" version that we can incrementally improve later.

Acceptance criteria

• Review different aspects of auth & auth provided by LB3:

  • Authentication using User and AccessToken
  • Accessing the current user via options argument injected by strong-remoting
  • Authorization based on ACL, Role and strong-remoting metadata describing access-type of individual methods. Scope-based authorization.
  • API Explorer

• Update https://loopback.io/doc/en/lb4/Understanding-the-differences.html with any missing details, replace TBD markers with real content. Add new table rows to capture missing features.

• Update the draft of the Migration guide (see Spike: Migration guide from LB3 - General runtime #3718), create a placeholder section for each aspect/feature we need to document --> see docs/site/migration/auth

• If we know the instructions for migrating a certain aspect/feature, then write down the high level instructions as part of this spike.

• For the remaining sections, create follow-up issues and reference them from the section text.

While this story is a spike task, the skeleton of the migration guide should be landed and published in our docs. The spike aspect is related to the fact that we don't know the scope of the migration guide, which parts are easy to document and which will require further research.

Out of scope

• loopback-component-passport - see How to migrate apps using loopback-component-passport #3958
• loopback-component-oauth2 - see [Spike] How to migrate apps using loopback-component-oauth2 #3959

[dhmlau]

@raymondfeng, I'm assigning this to you, since we believe you know about the authentication in LB3 & LB4 the most. Thanks!