Up to now the builtin lico was using the "username" as the login
attribute, while the proxy (and to some extend the auth-basic) service
tried to uniquely identify users by mail address. This aligns the
default configuration of the services to use the username everywhere.
Fixes: #4039
The removed code was broken is serveral ways:
- The key use for verification was always empty
- Using a static key for access_token verification is incompatible
with key rotation
- The type assertion (which was never hit anyways) to convert
the return MapClaims to StandardClaims can't really work
So in the end we were always using the default ttl for caching
the userinfo.
The help flag is configured automatically by default already. We don't
need to redo that for every single service.
This also addresses one of the finding of "go race" (#4088)
