fix: Disable password confirmation for SSO

[juliusknorr]

Similar behaviour as the user_saml app to avoid asking for password confirmation for SSO where we don't have a password to validate against.

Fixes #468

[thlehmann-ionos]

I don't think this is sufficient and completely thought through.

TL;DR: The password confirmation library also checks for backendAllowsPasswordConfirmation, which should be false, since a user authenticated via SSO can not confirm their password via Nextcloud's user database. The variable however will only be false if the user backend implements IPasswordConfirmationBackend.

More details

This can only be the case if the user could be looked up in the user_oidc backend by their ID. See user Manager->get().

This, in turn, means the user has to be provisioned in the user_oidc backend by the same ID as in the Nextcloud backend, since otherwise, the backend lookup would yield the Nextcloud user backend, which does not implement the above mentioned interface. See how the user is looked up in the code auth phase and later associated with the user's session.

The error would be reproducible if the user was auto-provisioned and the (--unique-id) was not false (0) (true is the default) since user_oidc would generate a new ID in the process. See the code.

Note that a auto-provisioned user with unique user ID could not be looked up as the backend implementing IPasswordConfirmationBackend as it would by looked up by the ID in the sub claim. This is a separate issue #898.

Proposed solutions

1. Hard (=non-auto) de-provisioning should be implemented to allow an explicitly created user_oidc backed user entity to be removed, since it otherwise breaks de-provisioning via Nextcloud too or
2. The hard provisioning should provision the user in the Nextcloud backend
3. The ID-uniqueness feature should be dropped or changed in a way that the user_oidc backend allows lookup by the hashed user ID too