Use userinfo to get scopes claims instead of token

[RobertRosca]

Recently fixed the federation to Keycloak so now our user tokens contain all the (LDAP) groups a user is a part of.

This fix revealed an issue: the token for users who are members of many groups is so large that it goes over the limit for what can be included in the HTTP headers. Not sure where exactly this limit is hit since there are a few places this may be happening. The way to deal with this would be to no longer include the claims in the token itself and instead perform queries to /userinfo to get the claims for the required scopes.

Shouldn't be a major change, just an extra query required to get the full user info which was previously encoded in the token.

[RobertRosca]

For now I fixed this by removing the authentik default OAuth Mapping OpenID profile scope and creating a profile-no-props scope. The expression for this is the same as the default profile scope but filtering out the proposal groups:

return {
    "name": request.user.name,
    "given_name": request.user.name,
    "preferred_username": request.user.username,
    "nickname": request.user.username,
    "groups": [
        group.name
        for group
        in request.user.ak_groups.all()
        if (not group.name.endswith("-part") and not group.name.endswith("-dmgt"))
    ],
}