[Feature]: Implement simple Entra ID service principal-based OIDC auth

[joelverhagen]

Related Problem

This is a baby step towards #9332.

Let's make NuGet.org able to accept a very specific kind of tokens, for specific (opted in) users.

At the end of this work, specific users in a flight (user-specific feature flag) will be able to request an Entra ID token for https://www.nuget.org, send it to a new token trade endpoint, and receive a short-lived API key.

They will be able to perform push, unlist, and relist with this short-lived API key.

Pieces of work:

• Enable nuget.org as an identified resource URL (https://www.nuget.org).
• New DB schema for federated credential trust policies
• Code to validate Entra ID OIDC tokens
• New token endpoint to trade a OIDC token for a short lived API key
• New admin panel to add trust policy for another user

The Elevator Pitch

We can enable a OIDC auth for internal dogfooding first (via Entra ID SP) allowing us to lay bunch common groundwork for 1P and 3P (GitHub Actions) scenarios.

Additional Context and Details

No response