Support Azure AD roles claim

[Fresa]

App registrations in Azure AD support custom application roles that are emitted as a roles claim in the id_token. https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps

Is your feature request related to a problem?

Roles is a nice alternative or complement to groups as explained in the linked document from Microsoft. It also doesn't need any permissions that require global admin consent, like Directory.Read.All.

Describe the solution you'd like to see

I guess this would require a new custom claim in dex as it's not a standard claim?

Describe alternatives you've considered

N/A

Additional context

I added a comment in https://github.com/dexidp/dex/issues/1182 as well as another rational for custom claims mapping.

[sagikazarmark]

The linked issue is slightly different in my opinion. We have similar claim mapping solutions in other providers. groups is a distinguished claim in Dex, so we can add it to the connector configuration similarly.

[megakoresh]

This is also needed for any large organization because groups claim in Azure-returned JWT has a character limit, so if a person is member of too many, then they won't all fit to the token. The recommended solution to this is to use roles. Relevant doc

[PG2000]

@sagikazarmark Do you know how we can proceed with this?

[cdenneen]

Still open issue. Application Roles would be very useful. Groups can become unwieldy quick so using roles would be more "lean" for doing RBAC mapping vs groups.