For better or (and) worse, I'm just going to barf out some ideas here!
I'm imagining something like, "as a user, I would like there to be a single dialog to manage all possible authentication types and scenarios in a highly configurable and easy to understand visual way".
As far as I understand it, current Auth configurations use-cases currently can range from straightforward usage of ZAP's current session management (Form, script, etc), to a variety of approaches that may involve the a combination of Replacer functions, auth, sequence, standalone and/or httpsender scripts. (also depending what scan is being performed)
This scenarios that these are needed to handle:
-cookie-based
-token-based (also browser)
-also needs to allow for CSRF, nonce, etc
-OTP
-multiple simultaneous sessions (ie, ZAP needs to authenticate to an application to scan it, while also maintain a session with some host for that application....remote dev environment on AWS, etc)
-i'm sure i'm missing a bunch
ZAP needs to send auth information
ZAP needs to recognize when it needs to send or not send auth information
ZAP needs to recognize when it needs to re-authenticate
ZAP needs to recognize and capture session information
ZAP needs to know where to send that information (itself, back to browser, etc)
ZAP needs to know what context this applies to
ZAP needs to know what user
ZAP needs to know which scan this applies for?
I know there's always a functional trade-off for who the 'primary market' is for the tool, whether it should so intuitive that new users can get going right away for their systems, or if it should be more configurable to cover more scenarios but maybe have a slightly higher learning curve.
Personally, I imagine a dialog with:
a text field (what to send to authenticate), and then checkboxes.
-send in URL: yes/no (probably popup warning for that since that's a no-no)
-send in header: yes/no
-send in body: yes/no
Then a field for regex/capture of session info, and then checkboxes (what to do with it and how often)
-for instance:
--send to browser: yes/no
--send in header: yes/no
--send in body: yes/no
--send in URL: yes/no
--apply to: spider/ajax/active/fuzzer/forcedbrowse/etc
Then a field for recognizing auth state via regex and checkboxes
--check in: response code/response header/response body
--re authenticate when logged out: yes/no
--re authenticate before every request: yes/no
Also the option to add additional messages, like the Sequencer, if needed.
Maybe it would be like right-clicking on a request in ZAP history and select 'auth request', and then it would be like the fuzzer in that a dialog with a copy of the message would pop up for configuring and editing. you could highlight different areas and assign different values to send, replace, etc.
Well, there's my brain dump! Hopefully that wasn't too much 'back seat driving', I know this stuff is a lot of work (nearly all of which is beyond me) and that time is in short supply! :)