SSO support for non-jwt access tokens, pass id token instead

[sjones4]

Is your feature request related to a problem? Please describe.

SSO auth sends the access token to temporal not the id token as the Bearer in the Authorization header.

The id token is also sent in the Authorization-Extras header.

Some OIDC providers use non-jwt access tokens which cause authorization in temporal to fail with an error such as "token contains an invalid number of segments".

Describe the solution you'd like

Add an option to pass the id token to temporal in the authorization header.

This could be implemented as an option such as TEMPORAL_AUTH_ID_TOKEN_AS_BEARER=true, etc.

Describe alternatives you've considered

I was testing this with Hashicorp Vault as the OIDC provider, which returns a non-jwt token for the access token.

I verified that the id token that is sent in the Authorization-Extras header works as the bearer token by using an nginx proxy to rewrite the request from the ui to temporal:

ui --> nginx --> temporal

which changed headers:

Authorization-Extras: SOMEVALUE --> Authorization: Bearer SOMEVALUE

and resulted in successful authentication.