Some issuers (e.g. PaperOS) emit `scope` as a JSON array (`[]` or
`["openid","profile"]`) instead of the RFC 6749 space-delimited string.
SpaceDelimited.UnmarshalJSON now accepts both forms; a JSON array
is converted to the equivalent slice. Other non-string, non-array
values still return an error.
Adds test cases: array_values and array_empty.
Distinguishes the two validator constructors by signature:
- NewIDTokenValidator(iss, aud, azp []string) — allowlist semantics
- NewAccessTokenValidator(iss, aud []string, requiredScopes ...string) — requirement semantics
Variadic scopes read naturally at the call site:
NewAccessTokenValidator(issuers, audiences, "openid", "profile")
Three-state semantics preserved:
no args → scope not checked
[]string{}... → scope must be present (any value)
"openid", ... → scope must contain all listed values
Also removes the old gracePeriod parameter from both constructors
(was 0 at all call sites; set GracePeriod on the struct directly
if a non-default value is needed).
Adds TestCov_NewAccessTokenValidator_Scopes covering all three cases.
