Allow setting can_request_admin dynamically by claims of upstream IDP

[fl0lli]

The option of only setting Synapse admin users statically via the local password database or the configuration file is restrictive.
When using an upstream IDP with a dynamic set of admin users, I would like to enable dynamic setting of the can_request_admin attribute.

As part of the OAuth2 callback, the claims of the upstream IDP are evaluated and imported.
IDPs can usually be configured so that they dynamically add claims to the token/UserInfo based on groups or similar.
For example, an upstream IDP can set the Boolean claim is_admin based on a group membership so that it can be imported like other claims using

admin:
 action: force
 template: "{{ user.is_admin }}"

The can_request_admin flag can then be set accordingly in the UserRepository.

This closes #4785.

[CLAassistant]

All committers have signed the CLA.