feat: TUI support for OpenID Dynamic Client registration via software statement (SSA) issued by Auth Server

[nynymike]

It should be possible to run the client on any workstation that has access to the config api.

An SSA is a JWT which is presentyed during dynamic client registration. It is signed by the AS (i.e. Auth Server).

If the Auth Server admin generates a software statement, the admin could provide this to the person who wants to use the TUI, and then each instance of the TUI would generate distinct client credentials

This would enable the TUI to generate a cryptographic key pair, and use dynamic client registration to obtain a client_id–i.e. use asymetric client secret instead of a shared secret (like client secret)

The software statement would pre-authorize scopes–for example the scopes needed to call the config API endpoints.

If a person starts the TUI, and it detects that there are no client credential present, it should prompt for a software statement and the OpenID Connect configuration endpoint (e.g. https://example.com/.well-known/openid-configuration). With these two pieces of data, the TUI could dynamically register, and then prompt the user to start a device flow authentication.

[yuriyz]

Related ticket on AS side: #2980