Changes for basing OIDC identity around preferred_username
The parts here:
- Create a backend that uses preferred_username to derive usernames
- Use username in the APIs
- Add a setting to switch the OIDC backend
There's also the semi-relevant REST APIs which were requested by upstream, which also need to be switched to using usernames. I've included the full code adding them, since I don't believe they've merged anywhere yet, just so we don't lose track of this part too.