RBAC updates to support aggregated role bindings (#870)

* RBAC updates to support aggregated role bindings when using the OidcRoleMapping with an external identity provider.

* Fixed braces to match existing styling.

* Simplified role mapping predicate.

Co-authored-by: John Fredrickson <john.fredrickson@arinet.com>

backend/src/Squidex/Config/Authentication/OidcHandler.cs

@@ -26,14 +26,14 @@ namespace Squidex.Config.Authentication
 
             if (!string.IsNullOrWhiteSpace(options.OidcRoleClaimType) && options.OidcRoleMapping?.Count >= 0)
             {
-                var role = identity.FindFirst(x => x.Type == options.OidcRoleClaimType)?.Value;
+                var permissions = options.OidcRoleMapping
+                    .Where(r => identity.HasClaim(options.OidcRoleClaimType, r.Key))
+                    .SelectMany(r => r.Value)
+                    .Distinct();
 
-                if (!string.IsNullOrWhiteSpace(role) && options.OidcRoleMapping.TryGetValue(role, out var permissions) && permissions != null)
+                foreach (var permission in permissions)
                 {
-                    foreach (var permission in permissions)
+                    identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission));
-                    {
-                        identity.AddClaim(new Claim(SquidexClaimTypes.Permissions, permission));
-                    }
                 }
             }