Replace token placement options on AttributeTranscoders

Added deniedUserInfoAttributes profile setting to both SSO and UserInfo configs and removed the last setting.

I considered whether having a separate "embed for ID / embed for UserInfo" approach might work but it seemed more awkward.

I defined three properties that will populate these lists in all the various places so I guess for simple cases that should be simple enough.

I think this should be functional and would rather see what the problems are before revisiting or adding more.

Added an alwaysIncluded profile setting to enumerate the attribute IDs to force-include in the ID token and removed encoder/transcoder settings.

Added an encodedAttributes profile setting to enumerate the attribute IDs to embed in the tokens and removed encoder/transcoder settings.

reminded me (for probably the 4th time) that the reason filtering doesn't work well for this is that it's upstream of consent, and if we remove attributes because they're not targeted for the ID token on the front channel, the consent step won't get a chance to see them in case the approval would allow them to show up on the back channel.

We don't want side effects in the filtering engine so that rules out using it for this.

The best option seems to be profile configuration settings.

My only hesitation there is whether we need a way to signal "all" for a particular setting instead of enumerating attributes.

The "store in token" option that bakes the claims encrypted into the access token is important for proxying, but I'm not sure we'd want that set to "all" given the potential for bloat so that's not so crucial.

Both the "put in ID token" and "deny in user_info" options default to false, which implies they'd be "unusual" to use in most cases. In that case I don't know that there's a strong need to have an "all" shortcut. For now we probably can leave it at a set of attribute IDs and see what happens.