Sync Gateway already has the username_claim config option for OIDC to allow mapping a claim other than sub to use as the username.
Add two new options, channels_claim and roles_claim to perform a similar mapping for channels and roles respectively. These claims must be either string or string.
These should be in addition to any roles/channels granted through admin_channels and/or admin_roles. They should be cached on the user document so that we don't need to perform OIDC authorization on each request. (An open question is how to handle these when a user first signs in through OIDC, then through basic auth - should the OIDC channels/roles be revoked?).