feat: Jwt -- don't force "upn" claim

[manger]

Description

Fixes #5151

Adjusts the Jwt class so that userPrincipal() returns the value of a upn, preferred_username, or sub claim in that order of preference; but the class does not automatically insert a upn claim whenever a preferred_username or sub is present. This means userPrincipal() returns a value to satisfy the Eclipse MicroProfile Interoperable JWT RBAC. But the Jwt class is still usable for use-cases beyond that very specific profile where a upn claims in not required, not desired, and may even be forbidden.

A upn claim can still be set.

Unit tests are added to confirm that Jwt.userPrincipal() falls back to sub if upn is absent; and to confirm that upn is no longer automatically (and unexpectedly) added just because sub is set.

All the existing unit tests still pass.

Documentation

The javadoc for Jwt.userPrincipal() and Jwt.Builder.userPrincipal(String) is adjusted.

[oracle-contributor-agreement]

Thank you for your pull request and welcome to our community! To contribute, please sign the Oracle Contributor Agreement (OCA).
The following contributors of this PR have not signed the OCA:

• PR author: manger
• [email protected] (@c799878)

To sign the OCA, please create an Oracle account and sign the OCA in Oracle's Contributor Agreement Application.

When signing the OCA, please provide your GitHub username. After signing the OCA and getting an OCA approval from Oracle, this PR will be automatically updated.

If you are an Oracle employee, please make sure that you are a member of the main Oracle GitHub organization, and your membership in this organization is public.

[romain-grecourt]

@manger Do you intend on signing the contributor agreement ?

[manger]

Yes, I intend to sign the contributor agreement. Just need to navigate the org processes to do so.