fix(openid-connect): ensure identity headers reflect validated tokens

[shreemaan-abhishek]

Description

The openid-connect plugin only set the X-Access-Token, X-Userinfo, X-ID-Token, and X-Refresh-Token headers when they were not already present in the incoming request, and it never cleared client-supplied values for these reserved header names at the start of the request. As a result, the headers the upstream received depended on what the client sent rather than purely on what the plugin validated.

This PR makes the behavior consistent:

• At the start of _M.rewrite, snapshot the incoming X-Access-Token value (it doubles as a bearer-token input via get_bearer_access_token) and clear all four reserved headers from the upstream-bound request.
• Update get_bearer_access_token to read the snapshot from ctx instead of the now-cleared header.
• Simplify add_access_token_header to always overwrite when set_access_token_header is true, so the upstream consistently sees plugin-controlled values.

A new regression test t/plugin/openid-connect-identity-headers.t covers two scenarios:

1. unauth_action = "pass" route: client-supplied identity headers do not bleed through to the upstream when the plugin lets the request pass without authentication.
2. bearer_only = true route with an embedded RS256 public key: the upstream receives the validated token in X-Access-Token, not whatever the client sent.

Which issue(s) this PR fixes:

Fixes #

Checklist

• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)