Implement authentication & authorization logic

We haven't discussed this yet, but here are some options:

• For account management, we lean on keycloak as an OIDC single-sign-on provider
  • Use a local Authelia container for automated testing and development (Authelia is easier to configure declaratively than Keycloak)
• Web and CLI clients, use short-lived access tokens with refresh tokens
  • Allow revoking API tokens using the CLI and web interface
  • Obtain a token pair by calling bbtw login, then visiting a magic URL to authorize the CLI
• For authorization, start with a simple RBAC setup having admins and normal users