[RFC] OIDC auth

[open-dynaMIX]

Rationale

We have mutliple applications that authenticate users through an OIDC provider.

Right now there are:

• Caluma
• document-merge-service (DMS)

With more to come (#1047).

The implementations in Caluma and DMS are very similar, but not identical.

A non-exhaustive list of differences:

• If fetching data from the userinfo endpoint fails, Caluma then tries to fetch it
  from the introspect endpoint. With keycloak this is needed, if auth happens with a
  client token. DMS doesn't do that.
• DMS supports a dedicated group endpoint for fetching groups from an external api. Caluma
  doesn't have this feature.
• The models that are used for the temporary user objects differ.

Proposal

Extract and combine the logic of both existing implementations and provide it in a
python package on PyPI.

Considerations

Maintaining this in a separate Repository creates some overhead that should be
considered.

However, the benefit of having identical implementations for this and not maintaining
it in every project (with it's own little differences) outweighs this concern IMO.

Additionally, having streamlined user models accross all of our OIDC authenticated applications is a nice plus.

[open-dynaMIX]

/cc @czosel @kaldras @anehx @winged

[sbor23]

I'm very much in favour of a shared OIDC auth backend for all related django projects.

However a shared user model might be problematic, since caluma doesn't have a persistent django model for it.
The user model should be configurable so that either a plain python class is provided (like in caluma OIDCUser) or a django's get_user_model() is used instead.