[Generic] Allow passing period-separated string for nested `claim_groups_key` in generic_client

Proposed change

Allow passing for example claim_groups_key=permissions.groups to GenericOAuthenticator, to extract the groups from a claim with the form

{
    "permissions": {
        "groups" : ["mygroup1", "mygroup2"]
    }
}

Alternative options

It is currently possible to do this by passing a Callable() that returns the groups given the user object, but I find this not configurable enough. It is also very finnicky (probably impossible) to use with the kubernetes-hosted jupyter hub.

Who would use this feature?

For example, KeyCloak exposes its group claim under realm_access.roles. Therefore, I cannot currently implement authorization on our kubernetes-hosted jupyterhub instance.

(Optional): Suggest a solution

Similar classes in for example Java spring boot use a period to separate nested keys. I think we should do the same.

This will be a breaking change for users who have a key with a period in it. I think this is an edge case but do you think we should design for it?

I implemented a quick fix for this in this pr: https://github.com/jupyterhub/oauthenticator/pull/537

Any feedback is appreciated on this.