OpenID Connect identity provider

[russss]

We could do with some way of allowing people to log in to other services with their EMF ticket account. I am contemplating a few things which do not need to be tightly coupled to the main website. OIDC is likely the best way forward here.

Some considerations:

• User IDs will need to be namespaced by event year - perhaps we need a standard way of generating externally-visible IDs. (Maybe sqids would be nice, or perhaps we just go full UUID?)
• I think app credentials (API key & secret) can just be configured statically (perhaps in a separate JSON file to the main config). This avoids needing to build too much admin CRUD and also means they will persist between years.

[Jonty]

It might be nice to make this available externally, as we have had attendee requests for it in the past (for games/services and the like).

[lukegb]

As a first take on this, IMO we should just support the openid, profile, and email scopes; we could potentially add some extra scopes (emfcamp.org/schedule/favourites/read? emfcamp.org/schedule/favourites/modify?) later but that implies doing more than just being an IdP.

[marksteward]

Email should be optional imo.

[russss]

It would be nice to support attendee-run clients but this doesn't preclude having the client credentials in a static file. (It might be good to have an expiry date for client credentials in this case.)

Allowing clients to see email should definitely be optional - I guess the approval page which the user sees should clearly state if it's an official EMF service and what data the client can access.

[Jonty]

What are the use-cases for sharing email? Is it just notifications?