`auth_session` DPoP binding

[aaronpk]

Do we need to have a DPoP parameter to bind the device session value?

[aaronpk]

Without DPoP binding, device session values should be one-time use.

[PieterKas]

DPoP Section 4.2 defines the extension mechanism.

[aaronpk]

We can define a new parameter ash (auth session hash) to include the hash of the auth_session in the DPoP proof:

https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-proof-jwt-syntax