Use persistent cookie for IDP

[nicokaiser]

Is your feature request related to a problem? Please describe.

Currently, the included IDP (lico) uses a session cookie for user authentication. This means that users are logged out whenever they close their browser (and the access token expires) and are required to log in again. This can happen many times a day depending on how the browser is used, and can lead to frustration.

Describe the solution you'd like

A persistent cookie (maybe 30 days?) should be used instead of a session cookie. This would allow users to remain logged in across browser restarts, significantly improving the user experience.

Describe alternatives you've considered

Currently "silent authentication" is used to refresh the token. So Access Tokens used by OpenCloud can be refreshed as long as the IDP session lasts (which causes the behaviour described above).

An alternative would be issuing a Refresh Token to OpenCloud (scope=offline_access), although this is not encouraged because as far as I understand OC, the authentication is client-side, so the Refresh Token would land in the client's storage (possible security problem).

Another alternative would be using Keycloak as IDP, but this is way too much for a small deployment (homelab, small VPS for family, etc.).

Additional context

I am aware that the integrated IDP is only a solution for small deployments, but still those small deployments are very important for the overall acceptance of OpenCloud and should provide a good user experience "out of the box" without requiring to deploy a larger IDP like Keycloak.

I am not sure if this is even possible with lico, although I hope it can be extended to allow persistent sessions.

[nicokaiser]

When setting WEB_OIDC_SCOPE="openid profile email offline_access" a refresh token is issued – which should solve the issue without begin dependent on silent authentication and IDP-specific behaviour. However this does not work, see #1595.