Add openid connect support using doorkeeper-openid_connect gem

... as discussed in [Issue 507](https://github.com/openstreetmap/operations/issues/507)
and described by @mmd-osm.

To activate, set the value of `doorkeeper_signing_key` to RSA private key.

Allows using openstreetmap as an identity provider.

Adds `openid` scope to OAuth2 authorizations, required to login to OSM.

Currently, the only claims returned are:
 - "openid" scope: "sub" and "preferred_username"
 - "read_email" scope: "email"

config/initializers/doorkeeper.rb

@@ -225,7 +225,7 @@ Doorkeeper.configure do
   # https://doorkeeper.gitbook.io/guides/ruby-on-rails/scopes
 
   # default_scopes  :public
-  optional_scopes(*Oauth::SCOPES, *Oauth::PRIVILEGED_SCOPES)
+  optional_scopes(*Oauth::SCOPES, *Oauth::PRIVILEGED_SCOPES, *Oauth::OAUTH2_SCOPES)
 
   # Allows to restrict only certain scopes for grant_type.
   # By default, all the scopes will be available for all the grant types.

config/initializers/doorkeeper_openid_connect.rb

@@ -2,71 +2,37 @@
 
 Doorkeeper::OpenidConnect.configure do
   issuer do |_resource_owner, _application|
-    "issuer string"
+    "#{Settings.server_protocol}://#{Settings.server_url}"
   end
 
-  signing_key <<~KEY
-    -----BEGIN RSA PRIVATE KEY-----
-    ....
-    -----END RSA PRIVATE KEY-----
-  KEY
+  signing_key Settings.doorkeeper_signing_key
 
   subject_types_supported [:public]
 
   resource_owner_from_access_token do |access_token|
-    # Example implementation:
-    # User.find_by(id: access_token.resource_owner_id)
+    User.find_by(:id => access_token.resource_owner_id)
   end
 
   auth_time_from_resource_owner do |resource_owner|
-    # Example implementation:
-    # resource_owner.current_sign_in_at
+    # empty block necessary as a workaround to missing configuration
+    # when no auth_time claim is provided
   end
 
-  reauthenticate_resource_owner do |resource_owner, return_to|
-    # Example implementation:
-    # store_location_for resource_owner, return_to
-    # sign_out resource_owner
-    # redirect_to new_user_session_url
+  subject do |resource_owner, _application|
+    resource_owner.id
   end
 
-  # Depending on your configuration, a DoubleRenderError could be raised
-  # if render/redirect_to is called at some point before this callback is executed.
-  # To avoid the DoubleRenderError, you could add these two lines at the beginning
-  #  of this callback: (Reference: https://github.com/rails/rails/issues/25106)
-  #   self.response_body = nil
-  #   @_response_body = nil
-  select_account_for_resource_owner do |resource_owner, return_to|
-    # Example implementation:
-    # store_location_for resource_owner, return_to
-    # redirect_to account_select_url
+  protocol do
+    Settings.server_protocol.to_sym
   end
 
-  subject do |resource_owner, application|
-    # Example implementation:
-    # resource_owner.id
+  claims do
+    claim :preferred_username, :scope => :openid do |resource_owner, _scopes, _access_token|
+      resource_owner.display_name
+    end
 
-    # or if you need pairwise subject identifier, implement like below:
-    # Digest::SHA256.hexdigest("#{resource_owner.id}#{URI.parse(application.redirect_uri).host}#{'your_secret_salt'}")
+    claim :email, :scope => :read_email, :response => [:id_token, :user_info] do |resource_owner, _scopes, _access_token|
+      resource_owner.email
+    end
   end
-
-  # Protocol to use when generating URIs for the discovery endpoint,
-  # for example if you also use HTTPS in development
-  # protocol do
-  #   :https
-  # end
-
-  # Expiration time on or after which the ID Token MUST NOT be accepted for processing. (default 120 seconds).
-  # expiration 600
-
-  # Example claims:
-  # claims do
-  #   normal_claim :_foo_ do |resource_owner|
-  #     resource_owner.foo
-  #   end
-
-  #   normal_claim :_bar_ do |resource_owner|
-  #     resource_owner.bar
-  #   end
-  # end
 end