Fix OIDC provider name uniqueness: allow multiple instances of same provider type via idp_id

[Copilot]

Galaxy's OIDC config used name as both the provider type and unique identifier, making it impossible to configure two instances of the same provider (e.g., two Keycloak realms or multiple generic oidc endpoints). The latter declaration silently overwrote the former.

Changes

New idp_id attribute (optional, backward-compatible)

• Added to XSD schema. When omitted, defaults to name.lower() — existing configs need no changes.
• Used as the oidc_backends_config dict key and URL slug (/authnz/{idp_id}/login).
• name is retained solely for backend class lookup (must still be a known provider type).

Example — two Keycloak instances:

<provider name="Keycloak" idp_id="uni_keycloak">
    <url>https://keycloak.uni.example.org/realms/uni/</url>
    <client_id>...</client_id>
    <client_secret>...</client_secret>
    <redirect_uri>https://galaxy.example.org/authnz/uni_keycloak/callback</redirect_uri>
    <label>University Login</label>
</provider>

<provider name="Keycloak" idp_id="corp_keycloak">
    <url>https://keycloak.corp.example.org/realms/corp/</url>
    <client_id>...</client_id>
    <client_secret>...</client_secret>
    <redirect_uri>https://galaxy.example.org/authnz/corp_keycloak/callback</redirect_uri>
    <label>Corporate Login</label>
</provider>

PSA pipeline: token storage now uses idp_id

• Replaced social_core.pipeline.social_auth.social_user and associate_user with Galaxy-specific versions (galaxy_social_user, galaxy_associate_user) that use idp_id instead of backend.name when reading/writing UserAuthnzToken.provider.
• PSAAuthnz now stores both idp_id (for DB/URL) and provider (for BACKENDS class lookup) in its config.

DB migration (d05a9e6a4b51)

• Converts oidc_user_authnz_tokens.provider from PSA backend names to config key names for providers where they differ:

Old (PSA backend name)	New (config key / idp_id)
google-openidconnect	google
life_science	lifescience
e-infra_cz	einfracz
infraproxy	nfdi
okta-openidconnect	okta
azuread-v2-tenant-oauth2	azure
egi-checkin	egi_checkin

provider_name_to_backend (authnz/util.py)

• Updated to return the lowercased config key (= default idp_id) instead of the PSA backend name, so get_oidc_tokens() lookups continue to work post-migration.

How to test the changes?

• I've included appropriate automated tests.
• This is a refactoring of components with existing test coverage.
• Instructions for manual testing are as follows:
  1. [add testing steps and prerequisites here if you didn't write automated tests covering all your changes]

New unit tests in test/unit/authnz/test_authnz.py cover: idp_id as config key, default backward-compat behavior, two providers of the same type, duplicate idp_id error, and PSAAuthnz config separation.

License

• I agree to license these and all my past contributions to the core galaxy codebase under the MIT license.