Support CEL / template in authenticator validations

[martin31821]

Preflight checklist

• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines."
• [ ] I have discussed this feature request with the community.

Describe the background of your feature request

We're building a multi-tenant cloud application which is secured via Keycloak and we're looking into using heimdall to secure our app. Our tenants should be separated by using different keycloak realms (effectively one OpenID provider per tenant), but we do want our users to be able to login to shared services in the app using heimdall.

Describe your idea

Building upon #619, I'd like to extend the validation of authenticator with CEL.

I'm thinking of a configuration like this:

rules:
  mechanisms:
    authenticators:
    - id: keycloak
      type: oidc
      config:
        assertions:
          issuers:
          - expression: "Issuer.startsWith(\"https://${our_keycloak_url}/realms\")"
          - "${issuer_url}" # this one for backwards compatibility

Are there any workarounds or alternatives?

I have, so far not found an alternative for what I'm trying to achieve. A workaround would be an extra service validating tokens from different realms and unifying these tokens, but I think it wouldn't be a nice solution.

Version

v0.11.0

Additional Context

No response