kypo-sandbox-api

This replaces the script that generates authsource config with just
the need to place the issuer url in the authsource config. It turns
out that some of the openid connect providers out there cycles the
signing keys so often that storing them directly in the config isn't a
good idea.

This commit also moves most of the OpenID Connect specific code into a
new Provider class, that could in theory also be used by other users
of the oauth2-client library