The upstream Structured Authentication Configuration API allows for configuring a CEL expression that is used for mapping JWT claim values to the username and groups attributes of a cluster user identity.

While OpenShift has GA support for bringing an external identity provider using this functionality, it only allows configuring explicit claims for which values are mapped from. This prevents users from being able to have more complex mapping logic that is possible via CEL expressions.

A use case mentioned by customers, is using a different claim for mapping service principals vs users via a CEL expression like: `has(claims.upn) ? claims.upn : claims.oid`

We need to add new configuration fields that allows for configuration of CEL expressions for claim mappings to enable these use cases.

When adding this configuration option, we should ensure we add admission time validation checks that return helpful warning messages to users if they provide an invalid configuration. The Kubernetes API server validations that are performed on the Structured Authentication Configuration file can be found here: https://github.com/kubernetes/kubernetes/blob/fd41228d1ad1ce1e95c29c654de2373557af35d3/staging/src/k8s.io/apiserver/pkg/apis/apiserver/validation/validation.go#L319

Acceptance Criteria

• The `authentications.config.openshift.io` resource is updated such that the existing `spec.oidcProviders[].claimMappings.username` and `spec.oidcProviders[].claimMappings.groups` fields contain a new optional field, in which a CEL expression can be specified.
• API integration tests are updated to test any new validations added as part of ^