Add configurable expiration/notbefore leeways

[jasonodonnell]

Leeways for expiration and not before were hardcoded to 300s (5m) for logins. These are now configurable (with a default of 150s) via two new args: expiration_leeway and not_before_leeway.

Additionally added clock_skew_leeway to configure a 60s (1m) leeway time for all claims. This can be toggled off if no extra leeway is required.

[jefferai]

This feels odd to me -- this means that if you don't set either of those, we're adding in 5 minutes of leeway above (in each direction), but then another minute here, so it's actually a 12 minute validity period. Granted this leeway accounts for clock skew in either direction, which the above calculations don't, but in the same vein, if you define the leeways above, or if you have iat/nbf defined, now you're not accounting for clock skew.

I wonder if the right logic is that we should always use the library's default leeway value to account for clock skew, but reduce the defaults we use above from 300 seconds down to, say, 150 seconds for each. That gives a validity window of 300 seconds total plus leeway.

If we add leeway all the time we should document it in CHANGES as it's a behavioral change. It may be worth another parameter, to be honest -- something like clock_skew_leeway that gets applied regardless of claims and in both directions, where we default to the library's default but people can turn it off if they don't want an extra minute of validity (which they may well not want).

[jefferai]

Looks good, pending putting Defaults in the schema

[jefferai]

Post beta1, can you add text here (and in the other options you added) indicating that setting to 0 will use the default value?

[jefferai]

dub period