Option to relax bound_issuer validation (domain vs URL)

[thomasgl-orange]

Is your feature request related to a problem? Please describe.
GitLab is in the process of modifying the JWT tokens it provides in CI jobs, and in particular it is changing the iss (Issuer) claim value:

• it was gitlab.something.com in old-style tokens (deprecated but widely used)
• it is https://gitlab.something.com in new tokens (obtained via a new pipeline keyword)

It's a legitimate change, but transition is painful in the context of GitLab/Vault interactions, because on Vault side it requires two JWT auth URLs; one for each style of tokens (for each specific bound_issuer). GitLab users (pipelines authors) must take into account that when they update the way they obtain a JWT token, they must also adapt their target Vault auth URL. In our case it will affect many people across many project/teams.

Describe the solution you'd like
I'd like to have the option to configure JWT auth plugin only once in Vault, in such a way it tolerates both forms of Issuer claim (FQDN and https://FQDN). It could be a boolean option to enable the special case (something like "ignore protocol in iss: claim if bound_issuer is a domain name"), or the ability to provide a list of bound_issuers.
At least the "special case" option would not be too difficult to take into account in cap/jwt, I think, here:

cap/jwt/jwt.go

Line 141 in 6d1e00a

if expected.Issuer != "" && expected.Issuer != claims.Issuer {

Describe alternatives you've considered
The alternative is to live with two JWT auth URL in Vault during the transition period, until deprecated tokens disappear, like this.