Allow Warehouse to become its own (OIDC) IdP

[woodruffw]

This is broken out from #12465, since it's not closely related to the other engineering work in terms of scope or requirements.

OIDC IdP support for PyPI

This task requires PyPI to become an identity provider (IdP), specifically supporting OAuth2 flows that produce OIDC-compatible JWTs. These OIDC tokens must serve as proof of possession/identity for a given PyPI account.

Core engineering subtasks:

• Dependency review and collection (selecting a high-quality OAuth2/OIDC server library)
• Secret initialization and management (reusing Warehouse's existing Vault infrastructure for the OAuth secrets)
• Core development (actually building the API endpoints that'll handle the OAuth2/OIDC flow; integrating them into PyPI's extant AuthN/AuthZ components)
• Testing and end-user documentation

[dstufft]

I just noticed this issue. What's the benefit of this feature?

[woodruffw]

What's the benefit of this feature?

I think the original idea behind it was that PyPI could become an IdP for ecosystems like Sigstore, which in turn would mean that users could sign for packages with their PyPI identity rather than having to have an account with another IdP.

(That's my recollection at least -- @di might remember better 🙂)

[di]

That was the general idea, but I think supporting signing artifacts with non-PyPI identities is going to make more sense here instead (e.g., a signature from the GitHub Actions identity that built the release). I think we can go ahead and close this.