Closes #163

Limited to OpenID provider conformance profiles "Basic" and "Config":

- Support for features mandatory to implement for all OpenID Providers,
  not the feature set for Dynamic OpenID Providers
- Only Authorization Code Flow, no support for Implicit/Hybrid Flow
- Only code response type, no support for token/id_token
- Server metadata is served at /.well-known/openid-configuration

Additional/optional features:

- Support for "claims" parameter
- Support for standard scopes "profile" and "email"
- Support for non-standard scope/claim "groups" (in violation of RFC 9068)

Compatability with existing (working) uffd client setups: Authorization
requests without the "openid" scope behave the same as before  Prior to this
change authorization requests with the "openid" scope were rejected by uffd.

This change adds direct dependencies to pyjwt and cryptography. Prior to this
change both were already transitive dependencies of oauthlib.

SQLAlchemy v1.4 (Debian Bookworm) annoyingly warns about overlapping
user/mfa_method relationships.

Fixes #146

Time-based one-time password (TOTP) codes are only valid for a short period
of time. In addition they are meant to be single-use to make them more
resistant against phishing and eavesdropping (e.g. keyloggers). Prior to this
change uffd did not keep track of used codes and thus did not prevent code
reuse.

This setting is more flexible than the existing REMAILER_LIMIT_TO_USERS config
option. The config option is therefore deprecated and will be removed in the
next major version.

Previously Unix UIDs/GIDs were allocated by using the highest used ID + 1.
This caused ID reuse when the newest user/group was deleted. In addition, the
implementation did not work on MariaDB (at all, it was not possible to create
users/groups).

The new approach accounts for all IDs ever used regardless of whether or not
users/groups are deleted. It always allocates the lowest ID in the configured
range that was never used.

Aside from the different allocation algorithm, this change introduces a
generic locking mechanism and prerequisites for testing migration scripts.

Enforces uniqueness of (verified) email addresses across all users. Email
addresses are compared case-insensitivly and Unicode-normalized. The new
unique constraints are disabled by default and can be enabled with a CLI
command. They are planned to become mandatory in uffd v3.

A lot of software does not allow multiple users to share the same email
address. This change prevents problems with such software.

To enable this feature run the command:

  uffd-admin unique-email-addresses enable

The commands reports any issues (e.g. existing duplicate addresses) that
prevent enabling the feature.

This change also introduces a generic mechanism to store feature flags in the
database and improves error handling for login name constraint violations.

Restructure tests into views/models/commands subdirectories to mirror the new
source tree structure introduced with ac731bf4 (Restructure source tree).