Add configurable validation policy

[leastprivilege]

• validate issuer against authority
• require c_hash/at_hash
• require id_token on refresh token response
• allowed algorithm (id_token signatures)
• require HTTPS (authority vs endpoints)
• require all endpoints on same domain as authority

[leastprivilege]

require kid?

[leastprivilege]

move to v2