[ABCA] Initial Support for Attestation-Based Client Authentication

[Awambeng]

Description

This is a proxy of:

• [ABCA] Initial Support for Attestation-Based Client Authentication keycloak/keycloak#44768

Introduce the initial implementation of Attestation-Based Client Authentication based on Thomas' work, but cleaned up and aligned with the spec.

This includes:

Core missing validation required by spec

• Verify Client Attestation JWT signature using trusted attester public keys
• Add support for attester JWKS loading from client/realm config
• Validate claims (iss, sub, aud, nbf etc) for both Attestation JWT and PoP JWT
• Validate typ header in both Attestation and PoP JWT
• Validate algorithm is asymmetric, supported, and not "none"
• Validate client_id matches Attestation sub and PoP iss
• Validate cnf.jwk contains public key only
• Validate PoP JWT includes challenge claim instead of nonce (fix incorrect claim)

Spec-defined errors

• Implement invalid_client_attestation
• Implement use_fresh_attestation
• Add proper HTTP response format for attestation errors
• Add optional challenge header (not the challenge endpoint yet)

Fix required spec compliance: challenge claim

• Replace nonce with challenge
• Update extraction & validation logic
• Update code comments/documentation

PAR endpoint parity

• Ensure PAR endpoint performs identical attestation validation

estimated time: 4–5 days

[forkimenjeckayang]

@Awambeng, if i'm correct we are implementing this from the base, looking at the work Thomas did as reference with some polishing..?
Also, given that's the case, then adding the feature flag will/should be part of this ticket right?