all: migrate from go-jose/v2 to go-jose/v4

[piersdd]

Summary

gopkg.in/square/go-jose.v2 is unmaintained. The canonical library is now github.com/go-jose/go-jose/v4.

This is a mostly mechanical import path migration across 6 source files with three notable API changes in v4:

1. jwt.ParseSigned() requires explicit algorithm allowlisting — callers must pass []jose.SignatureAlgorithm{jose.RS256}. This is a security improvement that prevents algorithm confusion attacks.

2. CompactSerialize() → Serialize() — renamed in v4.

3. Single-element aud serialised as string — go-jose/v4 follows RFC 7519 and serialises a single-element audience as a JSON string rather than a one-element array. Updated the TestAZPClaimWithMultipleAudiences test to handle both representations.

Files changed

File	Change
go.mod / go.sum	Dependency swap
server/server.go	Import path
server/token.go	Import path + Serialize() rename
server/oauth-metadata.go	Import path
server/token_test.go	Import path + ParseSigned algorithm param + audience assertion
server/helpers_test.go	Import path
server/extraclaims_test.go	Import path

No changes to cmd/verifier/verifier.go (uses stdlib crypto) or server/server_test.go (no go-jose imports).

Test plan

• go build ./... passes
• go test ./... passes (all existing tests)
• go vet ./... clean
• gofmt -l . produces no output

[ScrappyXII]

Something perhaps worthwhile to mention as well: go.sum cleanup is a secondary positive effect. go-jose/v2 leaked testify, go-difflib, and go-spew into the module graph as transitive test dependencies. Removing those is a nice bonus.

[ScrappyXII]

Something else potentially worth noting and acknowledging:
The audience serialization change is a behavioral change to issued JWTs. go-jose/v4 serializes single-element aud as a plain string per RFC 7519 §4.1.3, where v2 always emitted a JSON array. This PR correctly updates the test assertions but doesn't necessarily directly address the production-side impact: every JWT issued by this IdP with a single audience will now contain "aud": "clientid" instead of "aud": ["clientid"]. This is spec-correct but also is a silent wire-format change. Many OIDC/JWT validators — including strict implementations and some older libraries — only accept aud as an array. Notably, cmd/verifier/verifier.go already handles both forms it seems (the switch v := aud.(type) pattern).

[ScrappyXII]

please also update your commit with the DCO.
Should be git commit --amend -s to add the Signed-off-by.