(PXP-6617): remove scopes from jwt aud claim

[vpsx]

Jira Ticket: PXP-6617

TODO: Make ticket for go-authutils-branches thing see below

TODO: When Fence 5.0.0 is "in" a 2021.xx release, update the description again

Related Fence changes: uc-cdis/fence#839

Authutils PR: uc-cdis/go-authutils#3

New Features

Breaking Changes

• In step with Fence changes to issued JWTs, in which scopes are moved into a dedicated scope claim (Fence 4.22.2/2020.08) and out of the aud claim (Fence 5.0.0/2021.07), this commit changes Arborist JWT validation logic so that it does the same validation it was doing on the aud field, but does it on the scope field instead. This Arborist version must therefore be paired with a Fence later than 4.22.2/2020.08. Conversely, Fence 5.0.0/2021.07 will require Arborist later than this commit.

Bug Fixes

Improvements

• Run dep ensure to update lockfile and dependencies.

Dependency updates

• Depend on fix/aud-scopes branch of go-authutils, instead of the feat/initial branch. (Not sure why arborist was depending on feat/initial instead of master in the first place. fix/aud-scopes is branched off of feat/initial. We should test Mariner with go-authutils fix/aud-scopes and then merge fix/aud-scopes to master, and then point both Mariner and Arborist at go-authutils master.)

Deployment changes

• Needs Fence later than 4.22.2 or 2020.08 (which introduces the new JWT scopes claim).

[coveralls]

Coverage remained the same at 74.531% when pulling 0faa82e on fix/aud-scopes into 3b3f1cf on master.