We accept an OIDC ID token issued by a trusted identity provider as proof of authentication.
The ID token is validated and exchanged for a Nominal access token.
This ID token should generally be short lived since it is fungible with a Nominal access token
via this endpoint. An access token, if provider, is used to get user information from the OIDC
userinfo endpoint. An org rid should be provided if the user is a member of multiple orgs.