Add Envoy filter definitions for multiple IdP support
This change by itself is not a breaking change and should not affect behavior of any other component.
This supports the Multiple Identity Provider functionality by pulling the logic of extracting identity from multiple token formats out of the service and lifting it into the service mesh, which will provide the identity to the service as a secure and verified value in a well-known header. After this infrastructure-level code is added, we will complete the implementation of this feature by adding code to Entitlements to use these well-known headers directly.
This change adds two Envoy filters. They are in a single file to enforce the deployment order, because they have to chain (the first one must exist before the second is added).
The first filter guarantees that the well-known headers can only be provided to the service through the service mesh layer, stripping them if they are provided as part of a user request.
The second filter extracts the identity and application identity from a Microsoft Azure Active Directory token according to the logic which currently exists in the Entitlements service. If no AAD token is supplied, the well-known headers will not be set.