feat: generic OIDC role extraction from access token

The OIDC login flow now reads roles from the access_token (JWT) in
addition to the id_token. This fixes role extraction with providers
like Logto that put scopes/roles in access tokens rather than id_tokens.

- Add audience and additionalScopes to OidcConfig for RFC 8707 resource
  indicator support and configurable extra scopes
- OidcTokenExchanger decodes access_token with at+jwt-compatible processor,
  falls back to id_token if access_token is opaque or has no roles
- syncOidcRoles preserves existing local roles when OIDC returns none
- SPA includes resource and additionalScopes in authorization requests
- Admin UI exposes new config fields

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ui/src/api/schema.d.ts

@@ -1445,6 +1445,8 @@ export interface components {
             autoSignup?: boolean;
             displayNameClaim?: string;
             userIdClaim?: string;
+            audience?: string;
+            additionalScopes?: string[];
         };
         /** @description Error response */
         ErrorResponse: {
@@ -1462,6 +1464,8 @@ export interface components {
             autoSignup?: boolean;
             displayNameClaim?: string;
             userIdClaim?: string;
+            audience?: string;
+            additionalScopes?: string[];
         };
         UpdateGroupRequest: {
             name?: string;
@@ -2029,6 +2033,10 @@ export interface components {
             authorizationEndpoint: string;
             /** @description Present if the provider supports RP-initiated logout */
             endSessionEndpoint?: string;
+            /** @description RFC 8707 resource indicator for the authorization request */
+            resource?: string;
+            /** @description Additional scopes to request beyond openid email profile */
+            additionalScopes?: string[];
         };
         /** @description Agent instance summary with runtime metrics */
         AgentInstanceResponse: {