This change adds a new field to the oidcIdentityProviders server parameter called `useAuthorizationClaim`. The field is a bool and defaults to true. When the field is set to true, the server will enforce that an authorizationClaim is provided for that identity provider's config. When it is set to false, authorizationClaim will be optional (and ignored if provided). Instead, the server will use access tokens minted by this IdP for authentication only and will rely on a user document with _id corresponding to "authNamePrefix/principalNameClaim" to retrieve roles and authorize the user.

An administrator will now be able to configure internal authorization with OIDC authentication by setting useAuthorizationClaim to false and omitting authorizationClaim from a given IdP config. Administrators should NOT do this if LDAP authorization is also configured for a cluster as that will cause LDAP authorization to be used for OIDC users rather than internal authorization.

Description of Linked Ticket

Today, the authorizationClaim field of the OIDC IdP configuration is mandatory, and the server expects this claim to exist in all access tokens that are presented to it for authentication. It is used to determine the direct set of groups that the user is a member of, which are then mapped to MongoDB roles.

This ticket will introduce a new IdP configuration field called useAuthorizationClaim that is defaulted to true. When it is toggled to false, authorizationClaim will be optional and the server will instead authorize the user via a user document if it is not specified.