Improve OAuth2 provider (correct Issuer, respect ENABLED) (#34966)

1. Make "Issuer" strictly follow the spec (see comment)
2. Make "/.well-known/openid-configuration" respond 404 if the OAuth2
provider is not enabled.

Then by the way, remove the JSEscape template helper because it is not
needed any more.

templates/user/auth/oidc_wellknown.tmpl

@@ -1,16 +1,16 @@
 {
-    "issuer": "{{AppUrl | JSEscape}}",
-    "authorization_endpoint": "{{AppUrl | JSEscape}}login/oauth/authorize",
-    "token_endpoint": "{{AppUrl | JSEscape}}login/oauth/access_token",
-    "jwks_uri": "{{AppUrl | JSEscape}}login/oauth/keys",
-    "userinfo_endpoint": "{{AppUrl | JSEscape}}login/oauth/userinfo",
-    "introspection_endpoint": "{{AppUrl | JSEscape}}login/oauth/introspect",
+    "issuer": "{{.OidcIssuer}}",
+    "authorization_endpoint": "{{.OidcBaseUrl}}/login/oauth/authorize",
+    "token_endpoint": "{{.OidcBaseUrl}}/login/oauth/access_token",
+    "jwks_uri": "{{.OidcBaseUrl}}/login/oauth/keys",
+    "userinfo_endpoint": "{{.OidcBaseUrl}}/login/oauth/userinfo",
+    "introspection_endpoint": "{{.OidcBaseUrl}}/login/oauth/introspect",
     "response_types_supported": [
         "code",
         "id_token"
     ],
     "id_token_signing_alg_values_supported": [
-        "{{.SigningKey.SigningMethod.Alg | JSEscape}}"
+        "{{.SigningKeyMethodAlg}}"
     ],
     "subject_types_supported": [
         "public"