Add OIDC support

[kieftrav]

Add OpenID Connect (OIDC) support to Panoptes via doorkeeper-openid_connect.

This enables standard OIDC endpoints (/.well-known/openid-configuration, /oauth/userinfo, /oauth/discovery/keys) and issues OIDC-compliant ID tokens when the openid scope is requested. The ID token includes claims for login, name, email, email_verified, admin, and zooniverse_id.

Changes

• Gemfile - add doorkeeper-openid_connect ~> 1.9, upgrade doorkeeper-jwt to ~> 0.4 (required for jwt >= 2.5 compatibility)
• doorkeeper.rb - add :openid to optional scopes, fix encryption_method → signing_method deprecation
• doorkeeper_openid_connect.rb - new initializer with issuer, signing key (reuses existing RSA keypair), claims mapping, and resource owner resolution
• routes.rb - add use_doorkeeper_openid_connect
• migration - creates oauth_openid_requests table for authorization code flow nonce tracking
• dev_seed_noninteractive.rb - non-interactive seed script that creates admin user + OAuth app with openid scope (alternative to the interactive dev_seed_data.rb)
• docker-compose.yml - parameterize ports with env vars (PANOPTES_PORT, PG_PORT) so developers can override via .env without modifying tracked files

OIDC endpoints added

Endpoint	Purpose
GET /.well-known/openid-configuration	Discovery document
GET /oauth/discovery/keys	JWKS (public key for ID token verification)
GET /oauth/userinfo	User claims (requires Bearer token with openid scope)

Depends on

• Upgrade JWT gem to v2 for OIDC compatibility panoptes-client.rb#49 - upgrades jwt gem to v2 (merged/released as prerequisite)
• bump panoptes-client to ~> 1.3 and gitignore docker-compose.override #4596 - pins panoptes-client ~> 1.3 and adds gitignore for docker-compose.override.yml (this branch is based on it)
• bump panoptes-client to ~> 1.3 and gitignore docker-compose.override caesar#1677 - gitignore for docker-compose.override.yml (independent, no code dependency)

Review checklist

• First, the most important one: is this PR small enough that you can actually review it? Feel free to just reject a branch if the changes are hard to review due to the length of the diff.
• If there are any migrations, will they the previous version of the app work correctly after they've been run (e.g. the don't remove columns still known about by ActiveRecord)
  • Yes - adds a new table only, no changes to existing tables.
• If anything changed with regards to the public API, are those changes also documented in the apiary.apib file?
  • The OIDC endpoints are auto-mounted by doorkeeper-openid_connect. Apiary documentation can be added as makes sense.
• Are all the changes covered by tests? Think about any possible edge cases that might be left untested.
  • The OIDC gem provides its own test coverage. Integration testing was verified locally against all endpoints.

CI/CD

CI is expected to fail until the dependency chain is resolved. All 8 jobs fail at bundle install in deployment mode because Gemfile.lock is out of sync with the new Gemfile entries.

Steps to unblock (in order):

1. Merge Upgrade JWT gem to v2 for OIDC compatibility panoptes-client.rb#49 — upgrades the jwt gem from ~> 1.5.0 to >= 2.5
2. Release panoptes-client 1.3.0 to RubyGems — bump version in lib/panoptes/client/version.rb, update CHANGELOG.md, gem build && gem push
3. Regenerate Gemfile.lock on this branch — bundle lock will resolve doorkeeper-openid_connect, doorkeeper-jwt ~> 0.4, and panoptes-client ~> 1.3 now that jwt >= 2.5 is no longer blocked by panoptes-client

The same applies to Gemfile.next.lock if the dual-boot setup needs to resolve the new gems.

(planning to do this after the primary merge... Want to make the dependencies clear before then)

[hound]

Style/FrozenStringLiteralComment: Missing frozen string literal comment.