Support external authentication

Feature description

It would be great to allow some kind of external authentication for baserow; and there are many options for doing this:

• RFC3875 REMOTE_IDENT Header or similar. The gist of this is that you'd delegate authentication to a gateway of some kind that would resolve the authenticated user's identity and privileges and supply it to baserow as headers. This would happen between the request hitting the reverse proxy and it being passed to baserow. If this is implemented, be sure to lock it behind a feature flag for security purposes.
• OpenID Connect (JWT). Similar concept to the above, except the identity and privileges are contained in a JWT that is consumed via the Authorization HTTP header. As long as the metadata URL and scopes are configurable this has a similar effect to the above. Additionally, having the user's privileges also being processed from the token would be great but not strictly necessary. Again, implementing the entire OIDC auth flow is not necessary, just the token consumption and the remainder can be handled by an external authentication gateway.

Anyone using a reverse proxy such as Nginx in front of baserow would be able to implement whatever authentication they liked with the two options above available, however even one of these would be more than sufficient.

Additionally, as both methods use HTTP headers, they will work seamlessly with Websockets.

Examples

Most self-hosted web apps enable generic OAuth2/OIDC authentication; however Hasura would be a good example of both of the above methods.