Support Encrypted JWTs
Right now we assume the id_token is only signed. Encryption is usually redundant (its already being sent over HTTPS) but it is still part of the OpenID spec to allow an id_token to be signed and then encrypted, in which case we need to track that and decrypt the token first.
This is more complex than just adding some extra checks - our token objects are currently JWS compacts by Biscuit spec. Upstream work may be done there to make an ambiguous "can be a jwe or jws" type more client friendly. Otherwise we got to do that ourselves, since we need to be able to take either token type in our deserialization.