validate token aud before accepting autentication

[ricardogsilva]

This PR modifies the authentication backend in order to only allow logging in if the access token's aud claim contains one of the trusted audiences.

Trusted audiences can be defined in the already existing setting settings.OIDC_AUTH["OIDC_AUDIENCES]

Other implementation notes

• The client_id of the current django project is automatizally added to the OIDC_AUDIENCES list if not already there

• According to the openid-connect spec, a token's aud claim can be either a list or a string. This PR handles both cases

• The check for a valid access token is done inside the get_user_by_id function in order to make it available also for users that are logging in via django-rest-framework, with the drf-oidc-auth package

[derek-pryor]

PR #26 was actually merged as I pulled it in for testing before this PR was created.