access controls: provide more specific reason for request rejection

[johakoch]

Currently there are only two visible reasons for a request rejected by JWT access control:

• "Authorization required" with status 401
• "Authorization failed" with status 403

Internally, there are several reasons for the rejection of a request, leading to "Authorization failed" with status 403:

• an Authorization header is included, but its value lacks "bearer" (case-insensitively) (accesscontrol.ErrorBearerRequired)
• the JWT is malformed (jwt.MalformedTokenError), e.g.
  • it does not consist of three parts separated by '.'
  • the JWT header is malformed
  • the JWT body is malformed
• the token signature is invalid (jwt.InvalidSignatureError)
• the token issuer (iss claim) has an unexpected value (jwt.InvalidIssuerError)
• the expected token audience is not found in the aud claim (if present) (jwt.InvalidAudienceError)
• the token lacks a required claim (jwt.InvalidClaimsError)
• the token lacks a required claim, for which a specific value is expected
• the token has a required claim, but its value is unexpected

It would be handy to have the more specific reason in the error response.

[johakoch]

Same for other access controls (like saml2_acs)

[filex]

It would be handy to have the more specific reason in the error response.

the specific reason should be included in the error field of the access log. we should probably not "leak" that information to the client.