FAPI2 profile support

[paulswartz]

Ref: https://github.com/erlef/oidcc/discussions/316

Open Questions

• [x] should this split the profile atoms into fapi2_security_profile and fapi2_message_signing? The latter seems to also require request objects and JARM (even if the conformance suite doesn't seem to).

TODO

• [x] test coverage
• [x] documentation
• [x] Elixir implementation

[coveralls]

Pull Request Test Coverage Report for Build 132

• 100 of 105 (95.24%) changed or added relevant lines in 5 files are covered.
• 1 unchanged line in 1 file lost coverage.
• Overall coverage increased (+0.8%) to 93.994%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
src/oidcc_profile.erl	44	45	97.78%
src/oidcc_token.erl	13	14	92.86%
src/oidcc_authorization.erl	18	21	85.71%
<!--	Total:	100	105	95.24%	-->

Files with Coverage Reduction	New Missed Lines	%
src/oidcc_token.erl	1	88.46%
<!--	Total:	1		-->

Totals
Change from base Build 142:	0.8%
Covered Lines:	892
Relevant Lines:	949

---

💛 - Coveralls

[maennchen]

should this split the profile atoms into fapi2_security_profile and fapi2_message_signing?

That would probably be good. FAPI1 also has very different requirements between the specs.

[maennchen]

@paulswartz mTLS should be relatively simple to handle:

The user can already supply ssl options. If you include cert[file], key[file] and verify: :verify_peer, mTLS is enabled.

So we can just verify that they either are set, tls_client_auth is supported by the provider and otherwise require DPoP.

[maennchen]

After this minor correction good for merge.

[maennchen]

@paulswartz Can you open issues for all the TODOs that are missing for full compliance? (Like JARM and mTLS)

[maennchen]

@paulswartz Can you run mix format so that I can merge?