Capture access_token from IdP to forward it to the upstream service

[shawnhankim]

Background:

• Current NJS implementation disregard the access_token that is being sent by the IdP and only uses the id_token to get stored in the NGINX Plus K/V store.

• Token Recommandation

  When Using	Do	Don't
  ID Token	- Assume the user is authenticated	- Call an API
  	- Get user profile data	- Check if the client is allowed to access something.
  Access Token	- Call an API	- Inspect its content on the client
  	- Check if the client is allowed to access something
  	- Inspect its content on the server side

  courtesy: ID Token and Access Token: What's the Difference?
  

Acceptance Criteria:

• Enhance the NJS Code to capture the access_token sent by the IdP.
• Store the access_token in the k/v store as same as we store id_token and refresh_token

Compatibility:

• This issue will not block the existing features as there would be no change of variables, and this is just to add features.

[shawnhankim]

Task Steps:

• PR for NGINX Plus repo. (Issue Relevance: nginxinc#33)
• PR for NGINX Ingress Controller repo.

[shawnhankim]

Out of scopes:

• Validate the access_token as you do to validate the id_token
• Create session cookie after you store the token(s) in the K/V store and send it back to the client App
• Upon the session cookie is presented back to the NGINX Plus, verify the session is present in K/V store and verify both token(s) are still valid.
• Upon successful validation of token(s); NGINX Plus proxy the access_token to the backend service in Authorization header:

  Authorization : Bearer <access_token> 
  

Assumptions:

• IdP is expected to give access_token as JWT and opaque token is not supported for now.
• It is expected that NGINX Plus would always verify the token(s) validity and integrity before sending it to the client or backend.

Misc.:

• The above scopes will be separately enhanced in the other PR.