Backend:
- Add OIDCConfig, OIDCConfigService, OIDCService classes for OIDC flow
- Add OIDC endpoints: status, config (get/update), login, callback
- Support authorization code flow with PKCE-compatible state parameter
- JWKS-based ID token validation with RS256 support
- Auto-provisioning of users from OIDC claims
- Admin group mapping for automatic admin role assignment
Frontend:
- Add SSO login button on login page (conditionally shown when enabled)
- Add OIDC admin configuration page (/admin/oidc)
- Add SSO Configuration link in admin menu
- Add OIDC types and API functions
Security:
- CSRF protection via state parameter in secure cookie
- Secure cookie settings (httponly, secure, samesite=lax)
- Client secret stored encrypted in database
- Token validation using provider's JWKS endpoint
1c31fe79cd