FEAT: Add Open ID Connect authentication method

* add `oidc-config` setting allowing an admin user to configure parameters
* modify login page to show another button when oidc is configured
* add dependency `openid-client` `v5.4.0`
* add backend route to process "OAuth2 Authorization Code" flow
  initialisation
* add backend route to process callback of above flow
* sign in the authenticated user with internal jwt token if internal
  user with email matching the one retrieved from oauth claims exists

Note: Only Open ID Connect Discovery is supported which most modern
Identity Providers offer.

Tested with Authentik 2023.2.2 and Keycloak 18.0.2

backend/internal/token.js

@@ -82,6 +82,52 @@ module.exports = {
 			});
 	},
 
+	/**
+	 * @param   {Object} data
+	 * @param   {String} data.identity
+	 * @param   {String} [issuer]
+	 * @returns {Promise}
+	 */
+	getTokenFromOAuthClaim: (data, issuer) => {
+		let Token = new TokenModel();
+
+		data.scope  = 'user';
+		data.expiry = '1d';
+
+		return userModel
+			.query()
+			.where('email', data.identity)
+			.andWhere('is_deleted', 0)
+			.andWhere('is_disabled', 0)
+			.first()
+			.then((user) => {
+					if (!user) {
+						throw new error.AuthError('No relevant user found');
+					}
+
+					// Create a moment of the expiry expression
+					let expiry = helpers.parseDatePeriod(data.expiry);
+					if (expiry === null) {
+						throw new error.AuthError('Invalid expiry time: ' + data.expiry);
+					}
+
+					let iss = 'api',
+						attrs = { id: user.id },
+						scope = [ data.scope ],
+						expiresIn = data.expiry;
+
+					return Token.create({ iss, attrs, scope, expiresIn })
+						.then((signed) => {
+							return {
+								token: signed.token,
+								expires: expiry.toISOString()
+							};
+						});
+
+				}
+			);
+	},
+
 	/**
 	 * @param {Access} access
 	 * @param {Object} [data]