[Initiative] OIDC Integration Module

[juliuskrah]

Summary

Add OIDC integration as a pluggable module instead of embedding a custom identity provider inside GitStore.

Scope

In scope:

• OIDC provider configuration contract (issuer, audience, JWKS)
• Token validation middleware and claim mapping
• Support for external OIDC providers (Hydra, Dex, Keycloak, others)

Out of scope:

• Implementing a new OIDC server in GitStore

Acceptance Criteria

• OIDC integration can be toggled on/off via configuration
• JWT verification supports JWKS key rotation
• Claim mapping from external providers is configurable
• Security tests cover invalid issuer/audience/signature and expired token paths

Tracking

• Milestone: TBD