[openid-connect] Add at_hash claim in JWT token

[leplatrem]

It is possible to verify a JWT id token at_hash claim using an access token http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken

We discovered that python-jose was expecting it when providing both the id and access tokens in decode() https://github.com/mpdavis/python-jose/pull/30 https://github.com/mpdavis/python-jose/issues/75

Maybe it would be an interesting feature to support. It's not blocking us though ;)

[rfk]

Assigning to myself so I don't lose track of this, because I'm generally in favour of adding more OIDC spec compliance that helps us work with existing libraries. I probably won't prioritize it until sometime next year tho...