add userinfo support for OpenID (#12469)

Some identity providers like GitLab do not provide
information about group membership as part of the
identity token claims. They only expose it via OIDC compatible
'/oauth/userinfo' endpoint, as described in the OpenID
Connect 1.0 sepcification.

But this of course requires application to make sure to add
additional accessToken, since idToken cannot be re-used to
perform the same 'userinfo' call. This is why this is specialized
requirement. Gitlab seems to be the only OpenID vendor that requires
this support for the time being.

fixes #12367

internal/config/identity/openid/validators.go

@@ -31,7 +31,7 @@ type ID string
 type Validator interface {
 	// Validate is a custom validator function for this provider,
 	// each validation is authenticationType or provider specific.
-	Validate(token string, duration string) (map[string]interface{}, error)
+	Validate(idToken, accessToken, duration string) (map[string]interface{}, error)
 
 	// ID returns provider name of this provider.
 	ID() ID