Add OIDC section for sign in and sign up page

- name: :oidc → Identifier for this login provider in the app.
- scope: [:openid, :email, :profile] → Tells the provider we want the user’s ID (openid), their email, and basic profile info (name, picture, etc.).
- response_type: :code → Uses Authorization Code Flow, which is more secure because tokens are not exposed in the URL.
- issuer: Rails.application.secrets.oidc_issuer → The base URL of the OIDC provider (e.g., Auth0). Used to find its config.
- discovery: true → Automatically fetches the provider’s endpoints from its discovery document instead of manually setting them.
- client_auth_method: :basic → Sends client ID and secret using HTTP Basic Auth when exchanging the code for tokens.

Add system tests for OIDC Auth

Edit the oauth docs to support OIDC auth

app/lib/omniauth_tenant_setup.rb

@@ -21,6 +21,11 @@ module OmniauthTenantSetup
                 secrets.saml_idp_metadata_url, secrets.saml_idp_sso_service_url)
     end
 
+    def oidc(env)
+      oidc_auth(env, secrets.oidc_client_id,
+                secrets.oidc_client_secret, secrets.oidc_issuer, secrets.oidc_redirect_uri)
+    end
+
     private
 
       def oauth(env, key, secret)
@@ -55,6 +60,17 @@ module OmniauthTenantSetup
         end
       end
 
+      def oidc_auth(env, client_id, client_secret, issuer, redirect_uri)
+        unless Tenant.default?
+          strategy = env["omniauth.strategy"]
+
+          strategy.options[:client_id] = client_id if client_id.present?
+          strategy.options[:client_secret] = client_secret if client_secret.present?
+          strategy.options[:issuer] = issuer if issuer.present?
+          strategy.options[:redirect_uri] = redirect_uri if redirect_uri.present?
+        end
+      end
+
       def secrets
         Tenant.current_secrets
       end