Project scoped API tokens

[jiparis]

This is related to #2121

Currently, API tokens are created at organization level, and have access to all projects (they can be used to create attestations and invoke APIs scoped to the organization).
When RBAC is enabled, API tokens should be scoped to the projects the user creating it has access to. This can be done in different ways. Here there are some ideas:

• static: storing the list of "allowed" projects in the token. This can be automatic (all projects visible to the user), or manual (allowing the user to select which projects).

# this command will succeed if proj1 and proj2 are visible to the user in the current org
chainloop org api-token create --name test --projects proj1,proj2

• dynamic: storing the "creator" of the API token in a custom claim, that can be used to narrow down every query to the user visible projects.

[migmartri]

dynamic: storing the "creator" of the API token in a custom claim, that can be used to narrow down every query to the user visible projects.

I do not think it's valid, since users might change groups while tokens will stay.

I am also curious why you think we could have multiple projects in a token and not just one?