Fixes #29113: Security improvements for OIDC config

[clarktsiory]

https://issues.rudder.io/issues/29113

• follow the documented "restrict mapping as true" by default as in the doc
• add tests against cached API opaque token cache to take API account status into consideration

---

Upmerge will be complicated 😅 (ApiAccount model has changed in 9.1, and we need a special PR in 9.2)

[fanf]

LGTM ! Good luck with the upmerge

[Normation-Quality-Assistant]

This PR is not mergeable to upper versions.
Since it is "Ready for merge" you must merge it by yourself using the following command:
rudder-dev merge https://github.com/Normation/rudder-plugins/pull/974
If necessary please resolve conflicts. Then check the state of higher version branches and run rudder-dev merge all if needed.
-- Your faithful QA
Kant merge: "Two things awe me most, the starry sky above me and the moral law within me."
(https://ci.normation.com/jenkins/job/merge-accepted-pr/120069/console)