identity: add IdP access and identity token verification for OIDC (#5614)

## Summary
For the generic `oidc` provider, used by `auth0`, `cognito`, `gitlab`,
`google`, `oidc`, `okta`, `onelogin` and `ping`, add support for direct
access and identity token verification. Because Keycloak uses `oidc`
this also adds support for Keycloak.

Access tokens are verified by using the user info endpoint. If a call to
this endpoint succeeds using the access token, that access token is
considered valid and the user info claims will be returned.

Identity tokens are verified by using the jwks endpoint to retrieve the
signing key, and verifying that the identity token was signed with that
key. If the identity token is valid the claims in the JWT will be
returned.

## Related issues
-
[ENG-2312](https://linear.app/pomerium/issue/ENG-2312/core-implement-token-validation-for-keycloak)


## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review

pkg/identity/oidc/azure/microsoft_test.go

@@ -16,7 +16,6 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/pomerium/pomerium/internal/testutil"
-	"github.com/pomerium/pomerium/pkg/identity/identity"
 	"github.com/pomerium/pomerium/pkg/identity/oauth"
 )
 
@@ -110,24 +109,3 @@ func TestVerifyAccessToken(t *testing.T) {
 	_, err = p.VerifyAccessToken(ctx, rawAccessToken2)
 	assert.ErrorContains(t, err, "invalid audience")
 }
-
-func TestVerifyIdentityToken(t *testing.T) {
-	t.Parallel()
-
-	ctx := testutil.GetContext(t, time.Minute)
-
-	mux := http.NewServeMux()
-	srv := httptest.NewServer(mux)
-
-	p, err := New(ctx, &oauth.Options{
-		ProviderName: Name,
-		ProviderURL:  srv.URL,
-		ClientID:     "CLIENT_ID",
-		ClientSecret: "CLIENT_SECRET",
-	})
-	require.NoError(t, err)
-
-	claims, err := p.VerifyIdentityToken(ctx, "RAW IDENTITY TOKEN")
-	assert.ErrorIs(t, identity.ErrVerifyIdentityTokenNotSupported, err)
-	assert.Nil(t, claims)
-}