Add upstream-auth flag for sending id_token to upstream

[kellycampbell]

This is an alternate idea to the first part of #621 which would make a single option to declare what to send in the Authorization header to the upstream instead of several potentially incompatible pass-foo options. Currently just has id_token for kubernetes oidc auth with Google.