Upgrade "Login with your Bornhack Account" to be OIDC

[flokli]

Is your feature request related to a problem? Please describe.
I'd like to configure various applications (Grafana, Dex, …) to allow logging in with your Bornhack login. Most of these applications use OIDC, but it seems the /o/userinfo endpoint doesn't work.

Also, o/applications complains about OIDC_RSA_PRIVATE_KEY not being set, and there's no .well-known/openid-configuration and JWKS endopoint

Describe the solution you'd like
Have Bornhack website provide OIDC login. Provide .well-known/openid-configuration at the root, so clients can discover the different URLs used. Provide team memberships per bornhack as a custom claim in the userinfo response (probably gated on another scope).
This will make it possible to give people in certain teams certain privileges.

Describe alternatives you've considered
Only use /o/authorize and /o/token, and manually fetch user details from /profile/api/ (this is what wip-pos does do).

This however requires implementing the Bornhack Login format into every application that wants to make use of it, and I don't think I can upstream this into Grafana or Kubernetes.

Additional context
N/A

[flokli]

I hacked together https://github.com/flokli/dex/tree/bornhack, which implements a custom Dex connector that does do the oauth dance, and then fetches group info from the custom /profile/API/ endpoint and adds it to the group claims.

It synthesizes a fake email derived from the user id, as various applications get angry if there's no email available.