Add support for checking 'iss' claim against issuer

[paulmillar]

Many OPs issue a JWT as the AT. I imagine it would be relatively trivial for oidc-token to inspect the token and, if it is a JWT, extract the iss claim value. This value could then be compared with what oidc-agent believes is the issuer URL.

A discrepancy can occur if (for example) the URL given to oidc-gen was malformed (e.g., containing unexpected trailing slashes). However, this incorrect value might go undetected, as the oidc document discovery would still work.

oidc-token could then issue a warning if the issuer doesn't match the expected value. This would give the user the opportunity to update the issuer URL.