Implement OAuth2 provider (#927)

- [x] Application management
  - [x] Link
  - [ ] Tests
- [x] Authorize flow
  - [x] Tests
- [x] Refresh token handling
  - [x] Tests
- [x] Revocation endpoint
  - [x] Tests
  - [x] Mitigate: https://github.com/jazzband/django-oauth-toolkit/issues/585
- [x] API authenticator / permission driver
  - [x] Test
- [x] Enforce organizer restriction
  - [x] Tests
- [x] Enforce scope restriction
  - [x] Tests
- [x] Show current applications to user
  - [x] Revoke
  - [x] Tests
- [x] Log new authorizations
  - [x] notify user
- [x] Ensure other grant types are not available
- [x] Documentation
- [x] check if revoking access toking, then refreshing gets rid of organizer constraint
- [x] Show logentry foo

src/pretix/settings.py

@@ -250,6 +250,7 @@ INSTALLED_APPS = [
     'django_countries',
     'hijack',
     'compat',
+    'oauth2_provider',
 ]
 
 try:
@@ -275,6 +276,7 @@ REST_FRAMEWORK = {
     'DEFAULT_AUTHENTICATION_CLASSES': (
         'pretix.api.auth.token.TeamTokenAuthentication',
         'rest_framework.authentication.SessionAuthentication',
+        'oauth2_provider.contrib.rest_framework.OAuth2Authentication',
     ),
     'DEFAULT_RENDERER_CLASSES': (
         'rest_framework.renderers.JSONRenderer',
@@ -590,3 +592,18 @@ AUTH_PASSWORD_VALIDATORS = [
         'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
     },
 ]
+OAUTH2_PROVIDER_APPLICATION_MODEL = 'pretixapi.OAuthApplication'
+OAUTH2_PROVIDER_GRANT_MODEL = 'pretixapi.OAuthGrant'
+OAUTH2_PROVIDER_ACCESS_TOKEN_MODEL = 'pretixapi.OAuthAccessToken'
+OAUTH2_PROVIDER_REFRESH_TOKEN_MODEL = 'pretixapi.OAuthRefreshToken'
+OAUTH2_PROVIDER = {
+    'SCOPES': {
+        'read': _('Read access'),
+        'write': _('Write access'),
+    },
+    'OAUTH2_VALIDATOR_CLASS': 'pretix.api.oauth.Validator',
+    'ALLOWED_REDIRECT_URI_SCHEMES': ['https'] if not DEBUG else ['http', 'https'],
+    'ACCESS_TOKEN_EXPIRE_SECONDS': 3600 * 24,
+    'ROTATE_REFRESH_TOKEN': False,
+
+}