feat: support client assertion for client credentials authentication

[ewanharris]

Description

This PR introduces support for performing a client credentials authentication flow using client assertion (aka private key jwt, jwt ca) as an alternative to the existing client secret authentication method.

As this is an alternative ClientCredentials method I have split the existing configuration out into ClientSecretConfig and introduced a ClientAssertionConfig to go along side this and changed the ClientCredentialsConfig to be union of the two to allow type checking to work correctly.

The client assertion signing is performed using jose and I am using v5 of this library over v6 as the latter is an ESM only package which would have implications for our supported Node.js versions.

An extra, not insignificant change to this is the addition of a customClaims property on the client credentials configuration, this is to allow extra data to be passed to the token exchange for clients that need this.

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	jose@​5.10.0

View full report

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 88.88889% with 2 lines in your changes missing coverage. Please review.

Project coverage is 88.16%. Comparing base (b605f86) to head (48b0e9f).

Files with missing lines	Patch %	Lines
credentials/credentials.ts	88.88%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #228      +/-   ##
==========================================
- Coverage   88.18%   88.16%   -0.02%     
==========================================
  Files          23       23              
  Lines        1202     1217      +15     
  Branches      211      197      -14     
==========================================
+ Hits         1060     1073      +13     
- Misses         84       86       +2     
  Partials       58       58              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ewanharris]

I chose to spread config.customClaims first so that any of the required properties will be set, however I can also see a world where it might be desirable to allow this to be overridden.

[ewanharris]

This might seem unexpected, but per the spec the aud in this JWT assertion must identify the authorization server as it is the intended consumer of the JWT

[ewanharris]

Wondering whether to rename the config as that PrivateKeyJWT is the authentication type and ClientAssertion is just the property it is sent as (although I think it should remain clientAssertionSigningKey and clientAssertionSigningAlgorithm

Suggested change

	export type ClientAssertionConfig = BaseClientCredentialsConfig & {
	export type PrivateKeyJWTConfig = BaseClientCredentialsConfig & {