Closes #163

Prerequisite for doing the same to OAuth2 state. This is required for
implementing missing OIDC features later.

Limited to OpenID provider conformance profiles "Basic" and "Config":

- Support for features mandatory to implement for all OpenID Providers,
  not the feature set for Dynamic OpenID Providers
- Only Authorization Code Flow, no support for Implicit/Hybrid Flow
- Only code response type, no support for token/id_token
- Server metadata is served at /.well-known/openid-configuration

Additional/optional features:

- Support for "claims" parameter
- Support for standard scopes "profile" and "email"
- Support for non-standard scope/claim "groups" (in violation of RFC 9068)

Compatability with existing (working) uffd client setups: Authorization
requests without the "openid" scope behave the same as before  Prior to this
change authorization requests with the "openid" scope were rejected by uffd.

This change adds direct dependencies to pyjwt and cryptography. Prior to this
change both were already transitive dependencies of oauthlib.

9bfd6f81 changed the format of authorization codes, but did not adapt the
invalidation code accordingly. Because of this, authorization codes were
not invalidated and could have been used multiple times to request access
tokens until expiring.

Time-based one-time password (TOTP) codes are only valid for a short period
of time. In addition they are meant to be single-use to make them more
resistant against phishing and eavesdropping (e.g. keyloggers). Prior to this
change uffd did not keep track of used codes and thus did not prevent code
reuse.

- Add CI tests for Bookworm
- Disable pylint deprecation warnings for crypt
- Mitigate Flask changes that broke a few tests
- Set create_constraint=True for Booleans/Enums to mitigate SQLAlchemy changes
- Mitigate new Alembic CHECK constraint behaviour in batch mode

This setting is more flexible than the existing REMAILER_LIMIT_TO_USERS config
option. The config option is therefore deprecated and will be removed in the
next major version.

Enforces uniqueness of (verified) email addresses across all users. Email
addresses are compared case-insensitivly and Unicode-normalized. The new
unique constraints are disabled by default and can be enabled with a CLI
command. They are planned to become mandatory in uffd v3.

A lot of software does not allow multiple users to share the same email
address. This change prevents problems with such software.

To enable this feature run the command:

  uffd-admin unique-email-addresses enable

The commands reports any issues (e.g. existing duplicate addresses) that
prevent enabling the feature.

This change also introduces a generic mechanism to store feature flags in the
database and improves error handling for login name constraint violations.

Restructure tests into views/models/commands subdirectories to mirror the new
source tree structure introduced with ac731bf4 (Restructure source tree).