Refactor API tests (#483)

* Add Username scoped to domain OIDC type

This implements the second part of #398, adding support for OIDC
subjects that are simply usernames. A configured domain will be appended
to the username and included as a SAN email address.

Like #455, token issuers must partially match the configured domain. The
top level and second level domain must match, and it's expected that we
validate ownership for what's configured in the issuer and domain
fields.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* Refactor API tests

This refactor adds tests for all supported OIDC types, and makes it
simpler to add new tests for new OIDC types.

* Add tests for K8s and GitHub OIDC types.
* Add additional verification for issued certificate values
* Add dedicated test for RootCert success, don't call RootCert in every test.
* Move common expectations to function. This provides a single place to
  check response values.
* Move common set up to dedicated functions.
* Lowercase all error messages, because style.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>