Verify the JWT signature

[jimmyjames]

Changes

This change adds back the verification of the JWT's signature, which was removed in version 2.3.0.

This PR adds back signature verification for both HS256 and RS256 signed JWTs. Tests have been added to ensure that we are indeed verifying signatures, and doing so in a way that does not introduce breaking changes.

Note:
As this library only supports the Authorization Code flow, per the [OIDC Specification section 3.1.3.7] (https://openid.net/specs/openid-connect-core-1_0-final.html#IDTokenValidation), verifying the ID Token's signature is not strictly required:

If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature.

However, when we can verify the signature, we should; also removing the signature verification was a regression that this change addresses.

Testing

In addition to adding unit tests to verify the signature verification and claims validation, I also tested with a Quickstart sample, using both RS256 and HS256 signing algorithms, using a local version of this SDK with this fix included:

• Valid JWTs were verified successfully

• JWTs with invalid signatures are rejected

• This change adds unit test coverage

• This change has been tested on the latest version of the platform/language or why not

Checklist

• I have read the Auth0 contribution guidelines
• I have read the Auth0 Code of Conduct
• All existing and new tests complete without errors
• All code quality tools/guidelines in the CONTRIBUTING documentation have been run/followed

[lbalmaceda]

LGTM