traefik plugin 0.7.7 (#73)

* Automatic discovery of the scopes.

Issue #61 raised very valid concerns about users configuring scopes that are not supported by the provider.
This change introduces automatic discovery of supported scopes by fetching the provider's discovery document and filtering out unsupported scopes.

Before:
User configures: scopes: ["openid", "profile", "email", "offline_access"]
Self-hosted GitLab: "The requested scope is invalid, unknown, or malformed"
Authentication: ❌ FAILS

After:
User configures: scopes: ["openid", "profile", "email", "offline_access"]
Middleware checks discovery doc → offline_access not supported
Automatically filters to: ["openid", "profile", "email"]
Authentication: ✅ SUCCEEDS

* Resolves issue #74 by enabling user to specify expected audience in the configuration.

* Fix flaky tests.

issue67_regression_test.go

@@ -586,6 +586,7 @@ func TestIssue67_TokenResilienceRecursionBug(t *testing.T) {
 	oidc := &TraefikOidc{
 		tokenURL:               server.URL + "/token",
 		clientID:               "test_client",
+		audience:               "test_client",
 		clientSecret:           "test_secret",
 		tokenResilienceManager: resilienceManager,
 		tokenHTTPClient: &http.Client{
@@ -671,6 +672,7 @@ func TestIssue67_TokenResilienceManager_NoRecursion(t *testing.T) {
 	oidc := &TraefikOidc{
 		tokenURL:               server.URL + "/token",
 		clientID:               "test_client",
+		audience:               "test_client",
 		clientSecret:           "test_secret",
 		tokenResilienceManager: resilienceManager,
 		tokenHTTPClient: &http.Client{
@@ -738,6 +740,7 @@ func TestIssue67_DirectRecursionDetection(t *testing.T) {
 	oidc := &TraefikOidc{
 		tokenURL:               server.URL + "/token",
 		clientID:               "test",
+		audience:               "test",
 		clientSecret:           "test",
 		tokenResilienceManager: NewTokenResilienceManager(config, logger),
 		tokenHTTPClient:        &http.Client{Timeout: 2 * time.Second},