*: Update MAINTAINERS file

NewVerifier: fix defaulting of RS256

When NewVerifier was introduced, it forgot to default the
SupportedSigningAlgs value in the verification config. This means
an attacker can pass a token signed with any asymmetric "alg" value.

This isn't a P0 because the public key set from the provider should
only return asymmetric keys, so an attacker can't sneak a token
signed with a symmetric algorithm like HS512. RS256 is also the
weakest hash supported by square/go-jose, so you can't downgrade to
a weaker signing hash. Additionally, using jose.ParseSigned ensures
tokens encrypted with algorithms like A128GCM are rejected.

Additionally NewVerifier isn't expected to be used commonly. It's
mostly for testing (though that doesn't reduce the severity).

Unify the verifier creation code and make it impossible to pass an
empty list of SupportedSigningAlgs.

No new tests because the Verify path is already tested.

automated PR: update CoC

add id token support to verify access token hashes, fixes #126

*: expose KeySet, NewRemoteKeySet, and NewVerifier

Expose internal types to let users create IDTokenVerifiers without
using metadata discovery (/.well-known/openid-configuration). This
expands support to providers that don't implement discovery, and
lets users deliver verification keys out-of-band.

[nit] fix error message typo

fix(http): Allows 0 as an `Expires` header value

This is allowed by the RFC and is common with a few OIDC providers.

Partially addresses #136 as a temporary solution until k8s uses the
top level package

Check response content-type to improve message if cannot decode as JSON

If the Content-Type is not "application/json", add extra text indicating
that the response was not JSON before propagating the unmarshal error to
the caller.

*: various cleanups and improved unit testing

Problems with this:
* Code that didn't originate an oauth2 flow would always have to
  skip nonce checks.
* Code that checks nonces is likely to be dependent on the context
  of the Verify call, for example an HTTP request in a handler. The
  hook doesn't provide this context since its global to the verifier.
* The weirdness of this being conditional to if the nonce was present.

Overall I think it's simpler to let the user do the nonce verification.

Biggest cleanup is that the remoteKeySet now does the key ID matching
instead of the idTokenVerifier.

On the testing side, added tests that actually exercise the expected
caching behavior.

README: fix verifier initialization example

oidc: allow `none` in TokenEndpointAuthMethodsSupported

OPEN ID connect allows for `none` to be a member of
TokenEndpointAuthMethodsSupported
see https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.3

Fixes #137

*: use std library's context package

special case google accounts issuer validation

Google sometimes returns "accounts.google.com" instead of
"https://accounts.google.com". Special case this.

Originally we merged a new verification flag, but since this should
only be used with Google, and should always be on with Google, it
makes more sense for us to detect this case transparently.

Fixes #125

add an option to allow the issuer claim to be schemaless

This is because Google often returns "account.google.com" instead
of the spec compliant "https://account.google.com".

*: Update ID token Validation according to OIDC spec.

*: check if ID token has expired.

example: Correct go run command in README.

pass context to all requests

Use a token-aware HTTP client for UserInfo