Support the device flow for end users through Keycloak

[Racer159]

Is your feature request related to a problem? Please describe.

As Kay I want to have Sigstore integrated with Keycloak so that I can sign images, git commits and more without needing to manage keys

Describe the solution you'd like

• Given I have an image I want to sign
• And the Sigstore stack is available in my environment
• When I run something like cosign sign with the fulcio, rekor, and oidc-issuer urls
• Then I am taken through the Keycloak signin process (device flow)
• And the action completes without needing a client secret

Describe alternatives you've considered

We could not integrate with Keycloak directly and instead use something like Dex to issue the id tokens: https://dexidp.io/

Additional context

Currently the uds-core operator does not allow the creation of clients without a client secret.

[Racer159]

Clone of https://github.com/defenseunicorns/uds-core/issues/509 to implement on this side.

[Racer159]

Needs:

        https://sso.###ZARF_VAR_DOMAIN###/realms/uds:
          IssuerURL: https://sso.###ZARF_VAR_DOMAIN###/realms/uds
          ClientID: sigstore
          Type: email

Under OIDCIssuers in fulcio and an sso section in the fulcio UDS package YAML:

  sso:
    - name: Sigstore Login
      clientId: sigstore
      redirectUris:
        # - "http://localhost:*" # TODO: (@WSTARR) <- manually update the client redirect and origin urls to this
        - "http://pepr.cannot.do.localhost.uds.dev/auth"
      secret: "sigstore"
      serviceAccountsEnabled: true

[!NOTE] Depending on the outcome of defenseunicorns/uds-core#509 the sso portion may need to be edited to support different settings.