Single sign on using identity provider

[mrjones-plip]

Is your feature request related to a problem? Please describe.
Some deployments don't want to have to use a decentralized set of users for program, of which CHT is just one piece of. Instead, they would like to use a centralized system to allow users to login using a single sign on approach.

In the context of OpenID Connect (OIDC), this would mean that CHT authenticates via an OAuth2 identity provider over OIDC.

This ticket will be the parent ticket for the MVP effort - from the design doc:

This is a minimum viable product (MVP) effort. This means no extra features beyond what is needed to achieve the goal. A bare minimum of effort should be put into extensibility beyond the MVP as it's assumed any code that needs to be extensible will be refactored later. Keep this really focused to literally only what is needed for the MVP!

Describe the solution you'd like
Allow users to login using single sign on

Describe alternatives you've considered
There was a larger effort earlier on more generic Oauth 2.0 support. This ticket is a MUCH smaller scope.

Additional context
This is a unified effort of the larger community who's interested in actively help develop this feature. A weekly meeting is held to help move the process forward. Please comment on this ticket if you're interested in joining!