idTokenUserinfoAssertion property

If IDTokenUserinfoAssertion is enabled, the claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. This can be required by some applications that do not call the userinfo endpoint after authentication or directly use the id_token for retrieving user information. Attention: this violates the OIDC specification, which states that these claims must only be requested from the userinfo endpoint if an access token is issued. This is to prevent leaking of personal information in the id token, which is often stored in the browser and therefore more vulnerable.