Create username scope, required for clients to get username in ID token

- For backwards compatibility with older Pinniped CLIs, the pinniped-cli
  client does not need to request the username or groups scopes for them
  to be granted. For dynamic clients, the usual OAuth2 rules apply:
  the client must be allowed to request the scopes according to its
  configuration, and the client must actually request the scopes in the
  authorization request.
- If the username scope was not granted, then there will be no username
  in the ID token, and the cluster-scoped token exchange will fail since
  there would be no username in the resulting cluster-scoped ID token.
- The OIDC well-known discovery endpoint lists the username and groups
  scopes in the scopes_supported list, and lists the username and groups
  claims in the claims_supported list.
- Add username and groups scopes to the default list of scopes
  put into kubeconfig files by "pinniped get kubeconfig" CLI command,
  and the default list of scopes used by "pinniped login oidc" when
  no list of scopes is specified in the kubeconfig file
- The warning header about group memberships changing during upstream
  refresh will only be sent to the pinniped-cli client, since it is
  only intended for kubectl and it could leak the username to the
  client (which may not have the username scope granted) through the
  warning message text.
- Add the user's username to the session storage as a new field, so that
  during upstream refresh we can compare the original username from the
  initial authorization to the refreshed username, even in the case when
  the username scope was not granted (and therefore the username is not
  stored in the ID token claims of the session storage)
- Bump the Supervisor session storage format version from 2 to 3
  due to the username field being added to the session struct
- Extract commonly used string constants related to OIDC flows to api
  package.
- Change some import names to make them consistent:
  - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc"
  - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc
    as "oidcapi"
  - Always import go.pinniped.dev/internal/oidc as "oidc"

internal/fositestorage/authorizationcode/authorizationcode.go

@@ -30,7 +30,8 @@ const (
 
 	// Version 1 was the initial release of storage.
 	// Version 2 is when we switched to storing psession.PinnipedSession inside the fosite request.
-	authorizeCodeStorageVersion = "2"
+	// Version 3 is when we added the Username field to the psession.CustomSessionData.
+	authorizeCodeStorageVersion = "3"
 )
 
 var _ oauth2.AuthorizeCodeStorage = &authorizeCodeStorage{}
@@ -366,45 +367,43 @@ const ExpectedAuthorizeCodeSessionJSONFromFuzzing = `{
 				"Subject": "\u0026¥潝邎Ȗ莅ŝǔ盕戙鵮碡ʯiŬŽ"
 			},
 			"custom": {
-				"providerUID": "Ĝ眧Ĭ",
-				"providerName": "ʼn2ƋŢ觛ǂ焺nŐǛ",
-				"providerType": "ɥ闣ʬ橳(ý綃ʃʚƟ覣k眐4",
+				"username": "Ĝ眧Ĭ",
+				"providerUID": "ʼn2ƋŢ觛ǂ焺nŐǛ",
+				"providerName": "ɥ闣ʬ橳(ý綃ʃʚƟ覣k眐4",
+				"providerType": "ȣ掘ʃƸ澺淗a紽ǒ|鰽",
 				"warnings": [
-					"掘ʃƸ澺淗a紽ǒ|鰽ŋ猊",
-					"毇妬\u003e6鉢緋uƴŤȱʀļÂ?"
+					"t毇妬\u003e6鉢緋uƴŤȱʀļÂ",
+					"虝27就伒犘c钡ɏȫ齁š"
 				],
 				"oidc": {
-					"upstreamRefreshToken": "\u003cƬb",
-					"upstreamAccessToken": "犘c钡ɏȫ",
-					"upstreamSubject": "鬌",
-					"upstreamIssuer": "%OpKȱ藚ɏ¬Ê蒭堜"
+					"upstreamRefreshToken": "OpKȱ藚ɏ¬Ê蒭堜]ȗ韚ʫ繕ȫ碰+ʫ",
+					"upstreamAccessToken": "k9帴",
+					"upstreamSubject": "磊ůď逳鞪?3)藵睋邔\u0026Ű惫蜀Ģ",
+					"upstreamIssuer": "4İ"
 				},
 				"ldap": {
-					"userDN": "ȗ韚ʫ繕ȫ碰+",
+					"userDN": "×",
 					"extraRefreshAttributes": {
-						"+î艔垎0": "ĝ",
-						"4İ": "墀jMʥ",
-						"k9帴": "磊ůď逳鞪?3)藵睋邔\u0026Ű惫蜀Ģ"
+						"ʥ笿0D": "s"
 					}
 				},
 				"activedirectory": {
-					"userDN": "%Ä摱ìÓȐĨf跞@)¿,ɭS隑i",
+					"userDN": "ĝ",
 					"extraRefreshAttributes": {
-						" 皦pSǬŝ社Vƅȭǝ*擦28Dž": "vư",
-						"艱iYn面@yȝƋ鬯犦獢9c5¤.岵": "浛a齙\\蹼偦歛"
+						"IȽ齤士bEǎ": "跞@)¿,ɭS隑ip偶宾儮猷V麹",
+						"ȝƋ鬯犦獢9c5¤.岵": "浛a齙\\蹼偦歛"
 					}
 				}
 			}
 		},
 		"requestedAudience": [
-			"置b",
-			"筫MN\u0026錝D肁Ŷɽ蔒PR}Ųʓl{"
+			" 皦pSǬŝ社Vƅȭǝ*擦28Dž",
+			"vư"
 		],
 		"grantedAudience": [
-			"jÃ轘屔挝",
-			"Œų崓ļ憽-蹐È_¸]fś",
-			"ɵʮGɃɫ囤1+,Ȳ"
+			"置b",
+			"筫MN\u0026錝D肁Ŷɽ蔒PR}Ųʓl{"
 		]
 	},
-	"version": "2"
+	"version": "3"
 }`