use the email from the userinfo
change the roles | handle common roles with openminted | change role parsing
correct error code in 403 messages.
MERGE newClaimsAPI 42190:48301