JWT lib vulnerability

[pedromss]

Issue Description

The library used for the JWT middleware has a known vulnerability and needs to be upgraded. The next version available however is a major one and as a -preview suffix which I think makes this invalid in go.mod standards.

Refer to https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 for details

Version/commit

v4.1.17

[pedromss]

Duplicated in #1712 #1647 #1713

[aldas]

See comment #1663 (comment)

If you have set aud checking optional and token is from authoritative source (signed with trusted key) is failure to check token aud value matches even an error - because you have made EXPLICIT rule that aud can be empty.