Supporting IdPs that only have "sub" claims in UserInfo (continuing #310)

[djcrabhat]

Picking up PR #310

Had to make a couple of fixes to get go get to work with hcl/printer, and then had to update vegeta. But I built a docker container, ran this against my custom OIDC that only give sub back on UserInfo, and it works like a dream!

Tagging @bnfinet, their enthusiasm and kindness made me wanna put in some effort to make this change happen!

[djcrabhat]

I'm sorry for all the dumb commits and merge conflicts, I shoulda rebased off master, realized the PR I based this off of was outdated. I'm still learning the finer points of go modules.

[djcrabhat]

Saw your remediation of the the jwt library, so I'm not too worried about the WhiteSource CVE.

PS: I'm deep in OIDC/OAuth specs nowadays, and the "audience can be a string, or array of strings" is an all-timer crazy decision. Sure, looks a minor thing, just some extra brackets in some json. But I've come across so many implementations of trying to map that laissez faire json to an object and none of them are great. It's a tricky problem to solve!

[djcrabhat]

This is probably horribly out of date now