Implement authentication via OpenIdConnect and OAuth2

The new subproject "oidc" handles all the details for working with an
OpenID Connect provider (like keycloak) or only OAuth2 - only
supporting the "Authorization Code Flow" for both variants.

modules/restserver/src/main/resources/reference.conf

@@ -61,6 +61,44 @@ docspell.server {
     }
   }
 
+  # Configures OpenID Connect or OAuth2 authentication. Only the
+  # "Authorization Code Flow" is supported.
+  #
+  # When using OpenID Connect, a scope is mandatory.
+  # TODO
+  #
+  # Below are examples for OpenID Connect (keycloak) and OAuth2
+  # (github).
+  openid =
+    [ { enabled = false,
+        provider = {
+          provider-id = "keycloak",
+          client-id = "docspell",
+          client-secret = "21cd4550-6328-439e-bf06-911e4cdd56a6",
+          scope = "docspell",
+          authorize-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/auth",
+          token-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/token",
+          #User URL is not used when signature key is set.
+          #user-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/userinfo",
+          sign-key = "b64:MII…ZYL09vAwLn8EAcSkCAwEAAQ==",
+          sig-algo = "RS512"
+        }
+      },
+      { enabled = false,
+        provider = {
+          provider-id = "github",
+          client-id = "<your github client id>",
+          client-secret = "<your github client secret>",
+          scope = "",
+          authorize-url = "https://github.com/login/oauth/authorize",
+          token-url = "https://github.com/login/oauth/access_token",
+          user-url = "https://api.github.com/user",
+          sign-key = ""
+          sig-algo = "RS256" #unused but must be set to something
+        }
+      }
+    ]
+
   # This endpoint allows to upload files to any collective. The
   # intention is that local software integrates with docspell more
   # easily. Therefore the endpoint is not protected by the usual