Simplify authresponse

[aricart]

This PR reworks the auth callout to simply return an user JWT.

• Tests added
• Branch rebased on top of current main (git pull --rebase origin main)
• Changes squashed to a single commit (described here)
• Build is green in Travis CI
• You have certified that the contribution is your original work and that you license the work to the project under the Apache 2 license

Changes proposed in this pull request:

The original auth callout response, is simpler:

• the response is just JSON {error: string, user_token: string}. If encrypted the entire payload is encrypted.
• The server id which was set as an audience, is now set as a tag, this allows the server to verify the server (albeit by turning the server ID lower case)
• For operator mode, the callout should include it's public key, and sign the payload, and return both of these values in a header. This way the server can verify that the payload was sent from the expected service. On encrypted payloads this is not required, since the payload is encrypted and the server can verify.

The callout service can now use account signing keys and scoped signing keys. The server will validate the signing keys used to match the target account, and in the case of the scoped signing key, will assign limits as recorded in the destination account. The one requirement is that the limits be default (zero) struct (otherwise the resulting JWT will be invalid once validation runs).

The audience field is now reserved for account placement on non-operator mode. In operator mode, the user JWT has all the proper attributions to determine the target account.

/cc @nats-io/core

[derekcollison]

Let me know when we think this one is ready for review.

[derekcollison]

LGTM