Support client authentication via private key jwt

[thomasdarimont]

Description

Add support for client authentication via "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" and a proper client JWT send as "client_assertion".

Discussion

No response

Motivation

IMHO using a dedicated client with client_credentials grant and proper service account roles for managing the realm configurations is the best way to go. Unfortunately the current version of the terraform provider only supports client authentication via client secret, as shown here: https://github.com/keycloak/terraform-provider-keycloak/blob/master/keycloak/keycloak_client.go#L261

To improve security we could also support for authentication via private key JWT via "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" and a proper client JWT send as "client_assertion".
We would then configure "private key jwt" as auth method for the client and add configure the client certificate in the client JWKS configuration.

Details

client_assertion_type, private key and certificate should be provided as configuration parameters.

[mauriceackel]

It should also be possible to directly provide a client assertion and skip the private key setup.

This would allow users to easily use workload identity. The use case is the following:

1. Terraform running in pipeline and authenticated with google cloud service account
2. Using the google cloud sdk, get a signed client assertion (signed by the google service account)
3. Use this assertion to authenticate with keycloak