JWT signing secret is shared between server and trustauth

[HellFelix]

Both services derive their JWT secret from the same source and use only the iss claim to distinguish tokens. A token issued by the server is structurally verifiable on trustauth and vice versa.

Fix: Generate separate secrets per service.

[HellFelix]

This was not totally accurate. The secrets have been previously separated, so this was not an issue in production. What was a bit of an issue however was that the secrets used in integration testing were set to zeroed arrays (not necessarily a problem, but a little bit weird nonetheless). This has been fixed with d7054f7.

[HellFelix]

Fix mentioned in comment above merged to stage with #63