Enable OpenID Connect by default, without RSA support

This was done to ease testing without having to generate and configure an RSA key. OpenID Connect is fully functional even without an RSA key, although operating without RSA is not recommended.

On the go, support for directly passing keys in the configuration, e.g. when configuring AlekSIS from a K8s secret, was added.

aleksis/core/settings.py

 import os
+import warnings
 from glob import glob
 from socket import getfqdn
 
+from django.core.exceptions import ImproperlyConfigured
 from django.utils.translation import gettext_lazy as _
 
 from dynaconf import LazySettings
@@ -368,25 +370,33 @@ INVITATIONS_GONE_ON_ACCEPT_ERROR = False
 INVITATIONS_ACCEPT_INVITE_AFTER_SIGNUP = True
 
 # Configuration for OAuth2 provider
-OAUTH2_PROVIDER = {"SCOPES_BACKEND_CLASS": "aleksis.core.util.auth_helpers.AppScopes"}
+OAUTH2_PROVIDER = {
+    "SCOPES_BACKEND_CLASS": "aleksis.core.util.auth_helpers.AppScopes",
+    "OAUTH2_VALIDATOR_CLASS": "aleksis.core.util.auth_helpers.CustomOAuth2Validator",
+    "OIDC_ENABLED": True,
+}
 OAUTH2_PROVIDER_APPLICATION_MODEL = "core.OAuthApplication"
 OAUTH2_PROVIDER_GRANT_MODEL = "core.OAuthGrant"
 OAUTH2_PROVIDER_ACCESS_TOKEN_MODEL = "core.OAuthAccessToken"  # noqa: S105
 OAUTH2_PROVIDER_ID_TOKEN_MODEL = "core.OAuthIDToken"  # noqa: S105
 OAUTH2_PROVIDER_REFRESH_TOKEN_MODEL = "core.OAuthRefreshToken"  # noqa: S105
 
-if _settings.get("oauth2.oidc.enabled", False):
-    with open(_settings.get("oauth2.oidc.rsa_key", "/etc/aleksis/oidc.pem"), "r") as f:
-        oid_rsa_key = f.read()
-
-    OAUTH2_PROVIDER.update(
-        {
-            "OAUTH2_VALIDATOR_CLASS": "aleksis.core.util.auth_helpers.CustomOAuth2Validator",
-            "OIDC_ENABLED": True,
-            "OIDC_RSA_PRIVATE_KEY": oid_rsa_key,
-            #        "OIDC_ISS_ENDPOINT": _settings.get("oauth2.oidc.issuer_name", "example.com"),
-        }
+_OIDC_RSA_KEY_DEFAULT = "/etc/aleksis/oidc.pem"
+_OIDC_RSA_KEY = _settings.get("oauth2.oidc.rsa_key", "/etc/aleksis/oidc.pem")
+if "BEGIN RSA PRIVATE KEY" in _OIDC_RSA_KEY:
+    OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = _OIDC_RSA_KEY
+elif _OIDC_RSA_KEY == _OIDC_RSA_KEY_DEFAULT and not os.path.exists(_OIDC_RSA_KEY):
+    warnings.warn(
+        (
+            f"The default OIDC RSA key in {_OIDC_RSA_KEY} does not exist. "
+            f"RSA will be disabled for now, but creating and configuring a "
+            f"key is recommended. To silence this warning, set oauth2.oidc.rsa_key "
+            f"to the empty string in a configuration file."
+        )
     )
+elif _OIDC_RSA_KEY:
+    with open(_OIDC_RSA_KEY, "r") as f:
+        OAUTH2_PROVIDER["OIDC_RSA_PRIVATE_KEY"] = f.read()
 
 # Configuration for REST framework
 REST_FRAMEWORK = {