Split `jwt_token_invalid` error type: separate error type for semantic token errors

[johakoch]

Currently, there are three specific jwt error types:

• jwt_token_missing for a missing token,
• jwt_token_expired for an expired token,
• jwt_token_invalid for an invalid token (token syntactically not a JWT, or not sufficient, e.g. because required claims are missing or have unexpected values).

As the jwt_token_invalid currently covers both syntactic and semantic invalidity, it's impossible to do separate error handling for semantic errors (like missing claims or unexpected claim values) on the one hand, and syntactic errors (like broken tokens, invalid signature) on the other.

The new error type should cover the following cases:

• missing claim (as per required_claims attribute)
• unexpected claim values (as per claims attribute); this also applies to issuer and audience verification.

[johakoch]

Additionally, the jwt lib throws jwt.ErrTokenNotValidYet if a token is used before nbf. Currently we treat this as jwt_token_invalid, too. In terms of how a client should react in this case, it's only "try again later, with the same token". However this may be a rare case...