Feature/167 groups from ldap for entra

[dk1844]

This PR introduces a new feature described in #167.

With loginsvc.rest.jwt.{aws-secrets-manager|generate-in-memory}.allow-providers-to-refresh-groups-on-generate = false, the token without groups (typically coming from MS Entra) may be enriched by groups coming from a UserSearchService (typically LDAP, but ConfigUsers would work, too).

Necessary changes added:

• groups filtering has moved to JWTService from TokenController (because we need to filter the fetched groups, too)
• supported by new unit tests
• UI of the login form extended to optionally support groups-prefixes (vibe-coded 😆)

Release notes:

• config now must contain ``loginsvc.rest.jwt.{aws-secrets-manager|generate-in-memory}.allow-providers-to-refresh-groups-on-generate = false|true`. If enabled, this bring the ability to fill empty groups for users (obtained by MS Entra).

Developer testing

Login form UI result with custom groups-prefixes used via MS Entra:
(backend setup includes allow-providers-to-refresh-groups-on-generate = false, but empty groups were fetched in the MS Entra JWT)

Resulting LS access token contains groups now fetched from LDAP based on the sub in the MS Entra JWT:

Closes #167

[github-actions]

Report: Report: api - scala:2.12.17

Metric (instruction)	Coverage	Threshold	Status
Overall	71.68%	43.0%	✅
Changed Files	91.34%	70.0%	✅

File Path	Coverage	Threshold	Status
AwsSecretsManagerKeyConfig.scala	92.18%	0.0%	✅
InMemoryKeyConfig.scala	98.0%	0.0%	✅
JWTService.scala	82.52%	0.0%	✅
KeyConfig.scala	91.48%	0.0%	✅
PrefixesConfig.scala	94.25%	0.0%	✅
TokenController.scala	80.95%	0.0%	✅
User.scala	100.0%	0.0%	✅

[dk1844]

This is the get-experimental endpoint.
The fate of it is not decided yet, therefore no generalization effort with the normal post-based token/generate (identical impl now).

This feature is disabled on PROD.

[TheLydonKing]

LGTM.