Enhance to allow per-request validation mode

[brockallen]

IOW, allow JWTs to be validated local, but reference tokens to be validated at AS.

[leastprivilege]

done on dev