feat: add mod_oauth2

[Tadas Sutkaitis (fitbeard)]

Add mod_oauth2. This allows JWKS verification per domain/realm.

In Atmosphere for Keystone we are using this configuration snippet:

{% for domain in keystone_domains %}
<Location /v3/OS-FEDERATION/identity_providers/{{ domain.name }}/protocols/openid/auth>
  AuthType oauth20  
  Require valid-user
</Location>
...
{% endfor %}

After mod_oauth2 introduction we can change to:

{% for domain in keystone_domains %}
<Location /v3/OS-FEDERATION/identity_providers/{{ domain.name }}/protocols/openid/auth>
  AuthType oauth2
  Require valid-user
  OAuth2TargetPass prefix=OIDC-
  OAuth2TokenVerify jwks_uri {{ domain.keycloak_server_url }}/realms/{{ domain.keycloak_realm }}/protocol/openid-connect/certs
</Location>
...
{% endfor %}

This adds more options for token verification using JWKS uri, token introspection or jwt token attribute check PER domain.

Inspiration for this change is vexxhost/sunrise#39 for Sunrise where same JWT token from Keycloak used for Keystone auth used once again over token exchange to authorize user to access S3 resources.