Add OIDC provider functionality with validation setup

This commit adds OpenID Connect (OIDC) provider functionality to tinyauth,
allowing it to act as an OIDC identity provider for other applications.

Features:
- OIDC discovery endpoint at /.well-known/openid-configuration
- Authorization endpoint for OAuth 2.0 authorization code flow
- Token endpoint for exchanging authorization codes for tokens
- ID token generation with JWT signing
- JWKS endpoint for public key distribution
- Support for PKCE (code challenge/verifier)
- Nonce validation for ID tokens
- Configurable OIDC clients with redirect URIs, scopes, and grant types

Validation:
- Docker Compose setup for local testing
- OIDC test client (oidc-whoami) with session management
- Nginx reverse proxy configuration
- DNS server (dnsmasq) for custom domain resolution
- Chrome launch script for easy testing

Configuration:
- OIDC configuration in config.yaml
- Example configuration in config.example.yaml
- Database migrations for OIDC client storage

validation/launch-chrome.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+set -e
+
+echo "=========================================="
+echo "Chrome Launcher for OIDC Test Setup"
+echo "=========================================="
+
+# Wait for nginx to be ready
+echo "Waiting for nginx to be ready..."
+for i in {1..30}; do
+    if curl -s http://127.0.0.1/ > /dev/null 2>&1; then
+        echo "✓ Nginx is ready"
+        break
+    fi
+    if [ $i -eq 30 ]; then
+        echo "✗ Nginx not ready after 30 seconds"
+        exit 1
+    fi
+    sleep 1
+done
+
+# Try to find Chrome on the host system
+# Since we're in a container, we need to check common locations
+CHROME_PATHS=(
+    "/usr/bin/google-chrome"
+    "/usr/bin/google-chrome-stable"
+    "/usr/bin/chromium-browser"
+    "/usr/bin/chromium"
+    "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
+)
+
+CHROME_CMD=""
+for path in "${CHROME_PATHS[@]}"; do
+    if [ -f "$path" ] || command -v "$(basename "$path")" &> /dev/null; then
+        CHROME_CMD="$(basename "$path")"
+        break
+    fi
+done
+
+if [ -z "$CHROME_CMD" ]; then
+    echo ""
+    echo "Chrome not found in container. This is expected."
+    echo "Please launch Chrome manually on your host with:"
+    echo ""
+    echo '  google-chrome --host-resolver-rules="MAP auth.example.com 127.0.0.1" http://auth.example.com/'
+    echo ""
+    echo "Or use the launch script on your host:"
+    echo "  ./launch-chrome.sh"
+    echo ""
+    exit 0
+fi
+
+echo "Found Chrome: $CHROME_CMD"
+echo "Launching Chrome with host-resolver-rules..."
+echo ""
+
+$CHROME_CMD \
+    --host-resolver-rules="MAP auth.example.com 127.0.0.1" \
+    --new-window \
+    http://auth.example.com/ \
+    > /dev/null 2>&1 &
+
+echo "✓ Chrome launched!"
+echo ""
+echo "Access tinyauth at: http://auth.example.com/"
+echo "OIDC test client callback: http://127.0.0.1:8765/callback"
+echo ""
+