Full auth flow through to OIDC provider (Keycloak)

You can see it in action here. This is a user that exists as an Account but their credentials are managed by Keycloak and verified at the time of macaroon discharging.

First I show unknown user, then known user with wrong password and finally known user with correct password.

https://asciinema.org/a/UUOt224A7oTYT6KH14C8vAz9w