Generic OIDC authentication for quarto-hub server

[shikokuchuo]

Replace Google-hardcoded auth with provider-agnostic OIDC so any compliant identity provider (Auth0, Azure AD, Okta, Keycloak, etc.) can be used via CLI flags.

This means that switching to another auth provider would be a drop-in replacement for the server, and we'd only need to wire this into the front end.

CLI changes

# Before
hub --google-client-id <ID>

# After (Google — defaults make this a drop-in rename)
hub --oidc-client-id <ID>

# After (custom provider)
hub --oidc-client-id <ID> \
  --oidc-issuer https://your-provider.com \
  --oidc-image-domains avatars.your-provider.com

• --google-client-id / QUARTO_HUB_GOOGLE_CLIENT_ID → --oidc-client-id / OIDC_CLIENT_ID
• New: --oidc-issuer / OIDC_ISSUER (default: https://accounts.google.com)
• New: --oidc-image-domains / OIDC_IMAGE_DOMAINS (default: lh3.googleusercontent.com)

The JWKS URL is always discovered automatically from {issuer}/.well-known/openid-configuration — no flag needed.

Scope

• Backend only. Frontend remains Google-specific (@react-oauth/google) and will be updated separately when a new provider is needed.
• Single provider. Multi-provider support is a non-goal.