Use ID token for OAuth authentication, not Access Token

[zrhoffman]

As specified in OpenID.Core, the ID Token is a required security token that must be a JWT, but nothing requires that access tokens are JWTs, or even that they exist. #7621 makes our OAuth implementation use id_token, not access_token, which fixes #7626.

#7621 also moves the AccessToken and IDToken constants to the rfc package, because they are standardized.

---

Which Traffic Control components are affected by this PR?

• Traffic Ops

PR submission checklist

• This PR has tests
• This PR has documentation
• This PR has a CHANGELOG.md entry
• This PR DOES NOT FIX A SERIOUS SECURITY VULNERABILITY (see the Apache Software Foundation's security guidelines for details)

[codecov]

Codecov Report

Merging #7621 (1c52cc6) into master (46f602a) will decrease coverage by 33.13%.
The diff coverage is n/a.

@@              Coverage Diff              @@
##             master    #7621       +/-   ##
=============================================
- Coverage     65.04%   31.92%   -33.13%     
  Complexity       98       98               
=============================================
  Files           314      497      +183     
  Lines         12365    39459    +27094     
  Branches        907       90      -817     
=============================================
+ Hits           8043    12596     +4553     
- Misses         3968    25693    +21725     
- Partials        354     1170      +816     

Flag	Coverage Δ
golib_unit	48.30% <ø> (?)
grove_unit	4.60% <ø> (?)
t3c_unit	5.28% <ø> (?)
traffic_monitor_unit	21.30% <ø> (?)
traffic_portal_v2	?
traffic_stats_unit	10.14% <ø> (?)
unit_tests	25.49% <ø> (-48.27%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 401 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[kdamichie]

Looks good. Tested and it works