Disable internal authentication - allow ONLY OIDC login for admins

[dokeraj]

First Check

• I used the GitHub search to find a similar requests and didn't find it.
• Checked the tasks tagged issues and verified my feature is not covered

Please provide a concise description of the problem that would be addressed by this feature.

For security reasons, the internal authentication should be disabled when exposing the service on the internet. Instead the admins should have an option to be created by OIDC only.

Please provide a concise description of the feature that would resolve your issue.

Option 1. When starting the service for the first time - if you choose the login with Oauth button, the user that will be created, should be an admin. (Currently if you click on the login with Oauth button a new regular user is being created.)

Option 2. Allow for the admin to be created using internal authentication, but then allow another user that is created using OIDC to become admin. And allow the initial admin to be demoted to have no permissions to change anything - basically rendering that account useless to any attacker.

Please consider and list out some caveats or tradeoffs made in your design decision

The only downside I can see is that - this will be the only option for the admin to login, so in case of a broken OIDC setup, the admin can be left locked out.
The caveat is that there are extra steps that the admin needs to do, in order to regain access to the account - like opening the sqllite or postgres db and changing the user login credentials.

Additional Information

• If this is accepted I'm willing to submit a PR to provide this feature
• If this is accepted I'm willing to help maintain this feature
• I'm willing to sponsor/pay a developer to do this work

[dokeraj]

And yes, I am aware that there is the option Authentication Method - but there should be no record of any internal authentication credentials stored anywhere.