feat: add configurable userIdClaim for OIDC user identification

The OIDC user login ID is now configurable via the admin OIDC setup
dialog (userIdClaim field). Supports dot-separated claim paths (e.g.
'email', 'preferred_username', 'custom.user_id'). Defaults to 'sub'
for backwards compatibility. Throws if the configured claim is missing
from the id_token.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cameleer3-server-app/src/main/java/com/cameleer3/server/app/dto/OidcAdminConfigRequest.java

@@ -13,5 +13,6 @@ public record OidcAdminConfigRequest(
         String rolesClaim,
         List<String> defaultRoles,
         boolean autoSignup,
-        String displayNameClaim
+        String displayNameClaim,
+        String userIdClaim
 ) {}

cameleer3-server-app/src/main/java/com/cameleer3/server/app/dto/OidcAdminConfigResponse.java

@@ -16,17 +16,19 @@ public record OidcAdminConfigResponse(
         String rolesClaim,
         List<String> defaultRoles,
         boolean autoSignup,
-        String displayNameClaim
+        String displayNameClaim,
+        String userIdClaim
 ) {
     public static OidcAdminConfigResponse unconfigured() {
-        return new OidcAdminConfigResponse(false, false, null, null, false, null, null, false, null);
+        return new OidcAdminConfigResponse(false, false, null, null, false, null, null, false, null, null);
     }
 
     public static OidcAdminConfigResponse from(OidcConfig config) {
         return new OidcAdminConfigResponse(
                 true, config.enabled(), config.issuerUri(), config.clientId(),
                 !config.clientSecret().isBlank(), config.rolesClaim(),
-                config.defaultRoles(), config.autoSignup(), config.displayNameClaim()
+                config.defaultRoles(), config.autoSignup(), config.displayNameClaim(),
+                config.userIdClaim()
         );
     }
 }