Support trusted claims from identity providers

[nichtich]

Allow providers to pass account attributes such as affiliation.

Required for NFDI, see https://iam.services.base4nfdi.de/attributes/ and #119

To be used in jskos-server for extended access control, see gbv/jskos-server#232

To be discussed:

• some attributes can be modified freely, some are trused from a particular identity provider
• should attributes be embedded in JWT or pass via web socket?