Explicitly allow arbitrary request content to the identity assertion endpoint

[bvandersloot-mozilla]

We kind of already allow this via the nonce, however it could be useful to codify this more explicitly. Especially as this would allow inclusion of scopes being requested without having to smuggle them in via the URL of the auth endpoint or in the nonce.

I discussed something related to this in fedidcg/proposals#3 but it could be adapted here. I'll add a comment with a general shape of the proposal.

[bvandersloot-mozilla]

This would entail:

1. Adding a field to IdentityProviderConfig, USVString assertion_request;
2. Modifying fetch an identity assertion to append to |requestBody| "&config_request=" and |config|'s assertion_request.

Overall this change is quite small and does not change the security properties. Names are only suggestions.

[samuelgoto]

@cbiesinger @bvandersloot-mozilla I'm wondering if we could/should make this a duplicate of https://github.com/fedidcg/FedCM/issues/556? wdyt?

[cbiesinger]

sgtm

[samuelgoto]

Ok, @bvandersloot-mozilla I'm going to mark this as a duplicate of w3c-fedid/custom-requests#2 . Feel free to reopen if you feel like there is something else here that isn't captured there.