Better user-magement
- upgrade keycloak (to version 8?), keeping our custom interface
- connect via OAuth (e.g. with github, google)
- connect via SAML (e.g. with DFN AAI)
- allow local keycloaks for Oasis (why?)
- common user id (e.g. ORCID)
- consolidate users (e.g. automatically based on ORCID, CLI functions to migrate users)
- properly use (or don't use at all) affiliations
- allow authors that are not users