traefik plugin 0.7.7 (#73)

* Automatic discovery of the scopes.

Issue #61 raised very valid concerns about users configuring scopes that are not supported by the provider.
This change introduces automatic discovery of supported scopes by fetching the provider's discovery document and filtering out unsupported scopes.

Before:
User configures: scopes: ["openid", "profile", "email", "offline_access"]
Self-hosted GitLab: "The requested scope is invalid, unknown, or malformed"
Authentication: ❌ FAILS

After:
User configures: scopes: ["openid", "profile", "email", "offline_access"]
Middleware checks discovery doc → offline_access not supported
Automatically filters to: ["openid", "profile", "email"]
Authentication: ✅ SUCCEEDS

* Resolves issue #74 by enabling user to specify expected audience in the configuration.

* Fix flaky tests.

main_test.go

@@ -124,6 +124,7 @@ func (ts *TestSuite) Setup() {
 	ts.tOidc = &TraefikOidc{
 		issuerURL:          "https://test-issuer.com",
 		clientID:           "test-client-id",
+		audience:           "test-client-id",
 		clientSecret:       "test-client-secret",
 		jwkCache:           ts.mockJWKCache,
 		jwksURL:            "https://test-jwks-url.com",
@@ -1304,6 +1305,7 @@ func TestHandleCallback(t *testing.T) {
 
 				// Add potentially missing fields based on New() comparison
 				clientID:     ts.tOidc.clientID,
+				audience:     ts.tOidc.clientID,
 				issuerURL:    ts.tOidc.issuerURL,
 				jwkCache:     ts.tOidc.jwkCache, // Use the mock cache from TestSuite
 				httpClient:   ts.tOidc.httpClient,
@@ -1668,6 +1670,7 @@ func TestHandleLogout(t *testing.T) {
 				tokenBlacklist: NewCache(), // Use generic cache for blacklist
 				httpClient:     &http.Client{},
 				clientID:       "test-client-id",
+				audience:       "test-client-id",
 				clientSecret:   "test-client-secret",
 				tokenCache:     NewTokenCache(),
 				forceHTTPS:     false,