Include the optional at_hash claim in ID token

[VJalili]

After user authentication and consent, Fence's callback to my client application contains both ID and access tokens (among other information). The decoded payload of the ID token contains the following info:

{
  "aud": [
    "openid",
    "user",
    "UST2wwfQZZh9U6rybdJ6orAOo04uffCkW9QQWxUD"
  ],
  "iss": "https://localhost/user",
  "iat": 1553658658,
  "jti": "75a9632f-e5a4-4dd8-a0a1-a9001d85f6fb",
  "context": {
    "user": {
      "phone_number": null,
      "display_name": null,
      "name": "...",
      "is_admin": false,
      "policies": [],
      "email": null,
      "projects": {}
    }
  },
  "auth_time": 1553658658,
  "azp": "UST2wwfQZZh9U6rybdJ6orAOo04uffCkW9QQWxUD",
  "exp": 1553659858,
  "pur": "id",
  "sub": "4"
}

Accordingly, the ID token does not contain at_hash claim. Few points to consider:

1. The at_hash claim is optional when access token is not issued; however, since fence issues both ID and access tokens, accordingly to OIDC specifications (see the following quote), this claim is "REQUIRED":

   at_hash ... If the ID Token is issued from the Authorization Endpoint with an access_token value ... this is REQUIRED; it MAY NOT be used when no Access Token is issued
   (REF)

2. By default at_hash is a required claim by Javascript Object Signing and Encryption (JOSE, e.g., see python-jose implementation) to decode/validate a JWT token:

   'verify_at_hash': True,

   Accordingly, by default, it is a required claim in python social auth to validate tokens (that are encoded as JWTs).

Defaults can be modified, however, for better compliance with OIDC specifications, I would recommend including at_hash in Fence-generated ID tokens.