Remove the logic to check id token from header

[incfly]

As discussed in https://github.com/istio-ecosystem/authservice/pull/187/files#r737769246, current implementation checks both

• if there's a valid session id, this is extracted from the cookie. if there's one and matches the authservice's own session store(redis or in memory whatever). Authservice implementation is not putting id token in the browser side, instead it maintains its own session store, mapping from session id to the token response (containing id token). -- this is something I just realized.
• if there's a valid id token in configured header name, we allow the request as well.

The intention for the project, in my understanding is for the human flow. Therefore we can assume there's always a browser & session involved here. So the second flow can be removed for simplification.

[incfly]

original thread https://github.com/istio-ecosystem/authservice/issues/140#issuecomment-952228521

[bburky]

Removing support for allowing requests based on an id token would be fine with me. It was never documented. It's presence weakens the security that #140 could provide.

If users use Istio, the following policy can be used to retain the previous behavior (untested). Additional RequestAuthentication and AuthorizationPolicies can be used to validate the credential.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ext-authz
spec:
  action: CUSTOM
  provider:
    name: authservice
  rules:
  - when:
    - key: request.headers[Authorization]
      notValues: ["Bearer *"]