Support transformations/policies based on values from OIDCIdentityProvider additionalClaimMappings

[jeffmace]

It would be nice to support transformations like are proposed in #1407 on values from the additionalClaimMappings in OIDCIdentityProvider.

Here are two examples based on an additional claim named org_id

• The user can configure a policy to limit which org_id values are allowed to authenticate through the OIDCIdentityProvider

  - type: policy/v1
    expression: 'org_id in strListConst.orgIDList'
    message: "Only users in certain orgs are allowed to authenticate"
  

• The user can configure a transformation to append the org_id to the user's list of groups

  - type: groups/v1
    expression: 'groups + ["org" + org_id]'
  

Based on some discussion, the values for additionalClaimMappings may not be accessible outside the OIDCIdentityProvider scope. If so, then the transformations must be defined for each OIDCIdentityProvider resource so they result in the expected username/groups values.