We should not silently put JWT to ctx.Locals()

[shytikov]

Currently on successful validation token is always saved to ctx.Locals(), but I'm not sure it's necessary, as if we can always get this information from the ctx anyway, either headers, or cookies or URL params. What might be valuable is to have claims saved instead.

And in any case, we should not decide, but rather give a developer an option on how to treat this situation – the best would be to update the signature of SuccessHandler and pass a JWT there. And in case if a developer need it – he / she could save information that they need where they want. While today it's even impossible to switch off this behavior.