Allow to switch jwt access token verification and off. Many (most?) IDP
provide JWT encoded access tokens. If ocis is configure to assume jwt
access tokens (access_token_verify_method==jwt) we now properly verify
the tokens signature and a set of standard claims ("exp", "iat" and nbf"
by way of the jwt module's standard verification and "iss" explicitliy).
This change also allows for introduction of other access token verification
mechanism in the future (e.g. through introspection (RFC7662).
We try to parse the access token as a JWT now. Verifying the signature
using the keys downloaded from the jwks_uri of the IDP. Currently we
only use it to extract the expiry information from the JWT. This could
be reworked to extract other claims from the token for authorization
purposes.
Fixes: #3841
The removed code was broken is serveral ways:
- The key use for verification was always empty
- Using a static key for access_token verification is incompatible
with key rotation
- The type assertion (which was never hit anyways) to convert
the return MapClaims to StandardClaims can't really work
So in the end we were always using the default ttl for caching
the userinfo.
