Auth via OIDC

[MerlinDaWizard]

Currently, main uses allauth for authentication. While great and has its applications, since along with this PR we would be spinning up Authentik as an IdP, django wouldn't be the source of truth. Allauth doesnt work great for this application in a way I was happy with.

So this PR simplifies and instead uses mozilla-django-oidc. Its simple, perhaps too simple in places, e.g. not supporting oidc autodiscovery but it works well for this use case.

Things of note:

• We no longer support having multiple emails per account.
  • This was kinda janky anyway, with uses having to change their email on other services such as zulip before changing it on the intranet
• Changing information related to your identity is done in Authentik. (I have accompanying Authentik flows for this)
• By default mozilla-django-oidc (and allauth, kinda) depend on the user's email not changing. We don't do this and instead use the oidc sub(ject) claim.
• Not just a plug-in update, requires migration scripts or manual intervention (tbd)
• Updating user info on the intranet side requires logging in / out or expiry of access token.
  • I don't think this is a huge disadvantage.
  • The intranet shouldn't be the source of truth anymore anyway.
• Comes with a bunch of misc stuff. I could do these in a separate PR if I wanted, but I don't believe people are actually actively working on any features currently other than myself. I don't really mind creating merge conflicts or noisy diffs here, I appreciate its scrappy though.
  • Updating django version
  • Updating python version
  • Switching from poetry to uv
  • Formatting a bunch of things with ruff
  • Dockerising (tbd)

If you want to actually review it, focus on the latest commit which actually implements the OIDC stuff.