There isn't currently a claim on JWTs for service accounts to deterministically
say it's a service account. Instead, in the interim we'll need to use the prefix
service-account- on the preferred_username claim to differentiate user and
service account based JWTs.

This should not be a long-term solution, as the pattern and enforcement in IT
could change, and we don't want to couple it to this as a permanent solution, however
in order to unblock service account support prior to IT adding a claim, this is
the agreed upon approach.

Also, the rh-org-id claim will be moving to a nested claim object: organization.id
at some point in the near future, so this adds support for both.