oidcccl, server: add role synchronisation for DB Console OIDC logins

[shriramters]

trafficstars

Previously, the OIDC callback (/oidc/v1/callback) authenticated Admin-UI users but did not reconcile their IdP groups with SQL roles.

This was inadequate because operators who already rely on automatic GRANT/REVOKE for JWT and LDAP flows had no equivalent mechanism for OIDC log-ins, leading to inconsistent privileges and manual role management.

To address this, this patch introduces group-to-role synchronisation for OIDC:

• Adds three cluster settings server.oidc_authentication.authorization.enabled, server.oidc_authentication.group_claim, and server.oidc_authentication.userinfo_group_key, mirroring the JWT knobs.
• Parses the configured claim from the verified ID-token (array or string), normalises, dedupes and sorts it.
• Falls back to the user-info endpoint when the claim is absent and a group key is configured.
• Converts groups to validated SQL usernames and invokes EnsureUserOnlyBelongsToRoles.
• Threads the node’s *sql.ExecutorConfig into the OIDC stack.

Epic: CRDB-48763

Release note (security update): CockroachDB can now synchronise SQL role membership from the groups claim provided by an OpenID Connect (OIDC) Identity Provider when server.oidc_authentication.authorization.enabled = true. At login, the DB Console will:

• read the group claim named in server.oidc_authentication.group_claim from the verified ID token;
• if the claim is missing, attempt the same claim in the access token (when the access token is itself a JWT);
• if still absent, call the provider’s /userinfo endpoint and extract the groups from the JSON key configured by server.oidc_authentication.userinfo_group_key.

The resulting list of groups is normalised to SQL role names and compared to the user’s current role memberships. Any newly required roles are GRANTed and any stale ones are REVOKEd, matching the behaviour already available for JWT and LDAP-based role synchronisation.