Provides a MVP implementation of a login and consent webapp. The
emphasis here is on the "M". In particular we hard-code the list of
supported scopes pending some API Gateway-side work (#3).

The actual functionality of the app is in login/views.py and
login/gateway.py. The remainder of the app is various bits of Django
ceremony to wire those things together.

I've tried to minimise the required settings. In particular we make use
of the OpenID discovery endpoint to configure a lot of the
OAuth2-related settings.

A required setting includes the expected audience for the session id JWT
from the Gateway. It is tempting to form this dynamically from the
incoming request but that puts something which is used for token
verification under the control of the incoming request's headers which
risks confused-deputy style attacks[1].

Despite being functional and deployable as is, this app needs some
further work.

We implement the webapp using the traditional Project Light templates
for speed of implementation. The UI needs a designer's eye (#4).

If the requested scopes include "profile" then we fetch very basic user
claims from Lookup. This is essentially just the display name at the
moment. We can add given names, surnames, profile pictures, etc at a
later date (#1).

Most importantly, I think this app is an opportunity to require 2SV from
the get-go for applications using the API Gateway. This has been
implemented via a small API published by the API gateway which allows
the 2SV status of a user to be determined. I've opened (#2) to track
improving the user docs around this since it's not part of the MVP.

Part of https://gitlab.developers.cam.ac.uk/uis/devops/api/gateway-ops/-/issues/66

[1] https://en.wikipedia.org/wiki/Confused_deputy_problem