Set audience validation default to off

[MarcusGrass]

Checklist

• I have read the Contributor Guide
• I have read and agree to the Code of Conduct
• I have added a description of my changes and why I'd like them included in the section below

Description of Changes

Since jsonwebtoken 9x audience is validated by default. The library's validation of that token is itself finicky since audience can be provided in multiple (valid) ways. To avoid creating production incidents because of unexpected upstream library's parsing strategy, audience-validation will default to off as in 8.x, then the client gets the responsibility to validate audience after decoding.

Whether this should be considered a major-version bump or bugfix is debatable. If this audience validation change is considered a bug, then this is a bugfix from a bug introduced in 0.6.1 if that's not considered a bug then 0.6.1 should have been 0.7.0 and this should be 0.8.0, I'm leaning towards this being a bugfix since this behaviour was not intended, placing us at 0.6.2.

Drive-by fixing the changelog and toml version.

There was some spec-noncompliance where userinfo-endpoint was required although the spec says recommended, made that optional, causing this to be a major version bump anyway.

Also found a bug in the PKCE+client-secret flow that was fixed up.

Fixed the examples by duplicating them, one for basic auth and one for PKCE, they are now both up-to-date and hopefully a bit easier to understand.

[vojd]

Will approve when we know that the examples aren't negatively affected by this seemingly minor (but big) change