In idtoken_for_roles, pull claim check out into its own functions

[gene1wood]

Update the idtoken_for_roles so that

When the function checks to see if a given group is part of the user's claimed group list, do so by calling a function that's sole job is to check if a given group is in the user's claim. This will make it easier to try different claim names and different claim formats (e.g. a list vs a / delimited string)