We accept an OIDC ID token issued by a trusted identity provider as proof of authentication.
The ID token is validated and exchanged for a Nominal access token with a 24h expiry.
This ID token should generally be short lived since it is fungible with a Nominal access token
via this endpoint. An access token, if provided, is used to get user information from the OIDC
userinfo endpoint.
A workspace rid or an org rid should be provided if the user is a guest or a member of multiple
orgs. These will be resolved to determine what org the Nominal token should be minted for.