Add OIDC section for sign in and sign up page

- name: :oidc → Identifier for this login provider in the app.
- scope: [:openid, :email, :profile] → Tells the provider we want the user’s ID (openid), their email, and basic profile info (name, picture, etc.).
- response_type: :code → Uses Authorization Code Flow, which is more secure because tokens are not exposed in the URL.
- issuer: Rails.application.secrets.oidc_issuer → The base URL of the OIDC provider (e.g., Auth0). Used to find its config.
- discovery: true → Automatically fetches the provider’s endpoints from its discovery document instead of manually setting them.
- client_auth_method: :basic → Sends client ID and secret using HTTP Basic Auth when exchanging the code for tokens.

Add system tests for OIDC Auth

Edit the oauth docs to support OIDC auth

config/initializers/devise.rb

@@ -296,6 +296,20 @@ Devise.setup do |config|
   end
   config.omniauth :saml, saml_settings.merge(setup: ->(env) { OmniauthTenantSetup.saml(env) })
 
+  config.omniauth :openid_connect,
+                  name: :oidc,
+                  scope: [:openid, :email, :profile],
+                  response_type: :code,
+                  issuer: Rails.application.secrets.oidc_issuer,
+                  discovery: true,
+                  client_auth_method: :basic,
+                  client_options: {
+                    identifier: Rails.application.secrets.oidc_client_id,
+                    secret: Rails.application.secrets.oidc_client_secret,
+                    redirect_uri: Rails.application.secrets.oidc_redirect_uri
+                  },
+                  setup: ->(env) { OmniauthTenantSetup.oidc(env) }
+
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or
   # change the failure app, you can configure them inside the config.warden block.