Add OIDC enrollment

[andrewpmartinez]

Instead of enrolling with a pre-exchanged JWT or a certificate generated from a third-party CA, allow the configuration of external OIDC providers to prove an enrollee's identity and then allow the enrollee to create a certificate authenticator from a CSR. Additionally, allow configuration to dictate whether future authentication requires the certificate or cert+jwt from the IDP.

• allow the configuration of an OIDC provider
• allow the OIDC provider to map claims to attributes (custom or standard)
• allow the restriction of users allowed to enroll based on claims (custom or standard)
• allow a CSR process for certificate generation
• allow configuration for the enrolling identities authentication policy (certificate, certificate+jwt)

[andrewpmartinez]

This will add additional configuration to external JWT signers.

• a new option to enable enrollment (ext jwt signers will now be able to operate in authentication and/or enrollment modes)
• claim mapping for enrollment and claims mapping for authentication (another planned feature)

[andrewpmartinez]

Also see #1352