Reload OIDC syncs without requiring the user to re-login

Today OIDC sync (org/group/role) only happens on OIDC user authenticating. If the settings are updated, the user's are not refreshed.

We could save their OIDC claims and re-apply them when changing any of the sync settings. Or some manual "resync" button if the IdP changes.

This might be slow on large deployments, so might need to be an async job?