Description

Those are new configuration options added for identity providers. Initially maybe only for OIDC Identity provider (and Keycloak OIDC Identity provider, but that might be implicit)

We may initially consider config options like:

• Support RFC-7523 authorization grant - Boolean switch to indicate if identity provider is capable of acting as trust-relationship provider, which is able to verify RFC-7523 assertions.

• Single use authorization grants - Boolean switch to indicate if assertions should be single-use or not. Requires jti claim (which is optional in RFC 7523). ON by default

Maybe other switches will be introduced later once we see the need of them (EG. Maybe Clock Skew)

Note that identity provider may act only as trust-relationship provider, but not be used at all for login of users. We may need follow-up tasks to make sure that it is possible to create Identity provider, which is capable only to do "RFC-7523 assertion validation", but not login.

Task is follow-up of #43444