Replace IdentityServer4 with OpenIddict and upgrade to .net 9

[juliangiebel]

!!!This PR was locally tested extensively. It should still be tested with different oauth clients used in production though. Esp. the wiki as it can potentially break those oauth clients/application. Ideally upgrading SS14.Web is tested on a separate instance created from a snapshot first!!!

This PR updates the project to .net 9 and replaces IdentityServer4 with OpenIddict while trying to ensure that existing OAuth applications keep working. For that purpose there is a data migration sql script under tools/identityserver4_to_openiddict_data_migration.sql.

Differences between IdentityServer4 and OpenIddict

The biggest difference between the two OIDC solutions is the way client/applications are stored and the amount of extra features and settings.
OpenIddict uses a lot less database entities to store applications as it stores most non queried settings and configurations as json inside the application entity. It also doesn't normalize entities to quite the extent IS4 does.

This means there wasn't a need for a separate schema.
Also a lot of settings that weren't used got removed from the UI as implementing them with OpenIddict would mean adding custom settings and implementing custom event handlers (Which this PR already does for settings that had to be re-implemented like "PlainPkce" and "Allow PS256")

Encryption and Signing keys have to be supplied as certificates using PFX files.

OpenIddict also uses a different hashing algorithm for secrets and it salts them so migrated keys from IS4 are marked as legacy and handled seperatly using a re-implementation of the the way secrets are hashed in IS4 (Which uses standard .net cryptography methods).

Additional changes

• With the upgrade to .net 9 this PR also consolidates Program.cs and Startup.cs for SS14.Web/SS14.Web into a single top lever Program.cs file.
• Some files use #nullable true.
• Custom implementations for postgres type conversions/handlers weren't necessary anymore and got removed.

Noteworthy improvements

• The /.well-known/openid-configuration now only lists actually supported capabilities and features
• Access and authentication tokens are encrypted (Which might've also been already the case with IS4)
• Requested scopes are now present in the ID token in addition to getting them the userinfo endpoint

Generating encryption and signing certificates

At least one encryption and one signing certificate needs to be generated and configured for each encryption/signing algorithm that needs to be supported.
For this purpose a csx file exists under tools\GenerateCerts.csx(I used the .net10 preview to execute it otherwise it needs a proper project file).
Executing that file will generate 3 certificates. One encryption certificate using RS265 and two signing certificates using RS265 and PS265 respectively.

Example certificate configuration

OpenId:
  Certificates:
    DefaultSigningAlgorithm: RS256
    EncryptionCertificates:
      - Path: 'C:\Users\julia\Projects\SS14.Web\cert\server-encryption-certificate.pfx'
    SigningCertificates:
      - Path: 'C:\Users\julia\Projects\SS14.Web\cert\server-signing-certificate-rsa-pss.pfx'
        Algorithm: PS256
      - Path: 'C:\Users\julia\Projects\SS14.Web\cert\server-signing-certificate-rsa.pfx'

Fixes #20
Fixes #17

[SaphireLattice]

Might want to add a check if any of these files exist and throw hard, so we don't accidentally the certs.

[VasilisThePikachu]

Considering this tool will be ran once I doubt it's really an issue. I guess it's quick though fo code just in case.

[VasilisThePikachu]

Lowercase SQL is a crime

[VasilisThePikachu]

Ok well one thing you SHOULD actually do it update the dotnet version for the test so it wont fail

Also i guess look into net 10 support now, OpenIddict does support it