Allow GitLab OpenID Connect identity provider id_token expiration to be configured

Problem to solve

When using GitLab as an OpenID Connect identity provider, we can obtains both access_token and id_token. Those tokens has expiration which is for the id_token 2 minutes by default (This is the default value in Doorkeeper)

Actually, we are using GitLab as a SSO provider for your ArgoCD users and our CI (this allow us to authenticate pipeline and use RBAC to control actions done from the pipeline) and the id_token is used by ArgoCD to known the users' groups. But as the id_token expire really quickly (2 minutes), the user experience is really bad (you got the OAuth2 redirects mostly every time you're trying to do something).

The idea is to allow, at least for the self managed instances, to configure the id_token expiration in the configuration file (for example to 2 hours).

I'm not sure if this imply a security risk, from my understanding it should not as we don't change the token structure.

The main impact I can see is, a user who is added/removed from a group will not see the change in the id_token until it has expired (so max 2 hours for example) or logged out.

Proposal

Include a configuration parameter in gitlab.rb to allow id_token expiration config

Intended users

Everybody using GitLab as an OpenID Connect identity provider