Use the oidc.user_info endpoint instead of expiring group memberships #437
Description
Current (the legacy) Keystone uses the expiring user group memberships for users coming from the external IdP since it has no way to communicate with the IdP directly. We do now the same for the compatibility reasons. However it is now absolutely possible to query this information from the direct connection to the IdP and the oidc.user_info endpoint. This allows to eliminate negative consequences requiring users to periodically login using the OIDC to keep application credentials working. In such case when the user having the federated object attached authenticates (using any mechanism) the group memberships should be refreshed.
Most likely the expiring_user_group_membership table should still be used since it contains additionally the idp_id through which the user has the group membership.