Users need an email assigned in AD to access guacamole

[t-young31]

Describe the bug
Without an email assigned to a user in AD accessing guacamole fails with a 500 error. Guacamole app logs:

 guacd[236]: INFO:	Guacamole proxy daemon (guacd) version 1.5.1 started
 guacd[236]: INFO:	Listening on host 0.0.0.0, port 4822
 [proxy.go:89] mapping path "/" => upstream "http://0.0.0.0:8080"
[oauthproxy.go:162] OAuthProxy configured for OpenID Connect Client ID: XXX
[oauthproxy.go:168] Cookie settings: name:_oauth2_proxy secure(https):true httponly:true expiry:168h0m0s domains: path:/ samesite: refresh:after 50m0s
[oauthproxy.go:959] No valid authentication in request. Initiating login. x.x.x.x - a4ad31ff-d4aa-4130-8038-5e4173f7c871 - - 
GET - "/robots933456.txt" HTTP/1.1 "HealthCheck/1.0" 302 491 0.000
 [oauthproxy.go:959] No valid authentication in request. Initiating login.
x.x.x.x - f5b6cdf8-789a-4cff-a509-d460f072d894 - - [2023/06/05 18:13:55] guacamole-XXX-ws-4c91-svc-1c6d.azurewebsites.net GET - "/guacamole" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36" 302 484 0.040
[oauthproxy.go:823] Error redeeming code during OAuth2 callback: could not get claim "email": failed to fetch claims from profile URL: error making request to profile URL: unexpected status "401": {"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"XXX","request-id":"XXX","client-request-id":"XXX"}}}

Steps to reproduce

1. Login to TRE with user that doesn't have an email in AD
2. Deploy guacamole shared service
3. Attempt to access guacamole

[marrobi]

I believe email address is a requirement of OpenID, unless there is another field we can configure Oauth proxy to use.

[marrobi]

Maybe we can change oidc-email-claim to prefered_username.