feat: add support for backchannel authentication

[guabu]

📋 Changes

Adds support for Client-Initiated Backchannel Authentication. A new method getTokenByBackchannelAuth is exposed on the client that enables developers to initiate a backchannel authentication request and poll the token endpoint until it's complete.

The openid-client was added to handle the polling and retry logic without having to re-implement it ourselves using oauth4webapi and to start moving the implementation closer to that of auth0-auth-js.

🎯 Testing

1. Call the getTokenByBackchannelAuth method from a server route/action
2. Authorize or reject the authorization via a Guardian app
3. The SDK will return the token set or error accordingly

[adamjmcgrath]

The openid-client was added to handle the polling and retry logic without having to re-implement it ourselves using oauth4webapi and to start moving the implementation closer to that of auth0-auth-js.

Would it make more sense to use auth0-auth-js for CIBA now if that's what the sdk is going to end up using?

[codecov-commenter]

Codecov Report

❌ Patch coverage is 84.72222% with 22 lines in your changes missing coverage. Please review.
✅ Project coverage is 85.34%. Comparing base (93e7b2a) to head (866ae3c).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
src/server/auth-client.ts	87.17%	15 Missing ⚠️
src/server/client.ts	12.50%	7 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2261      +/-   ##
==========================================
- Coverage   85.39%   85.34%   -0.05%     
==========================================
  Files          26       26              
  Lines        2471     2613     +142     
  Branches      462      481      +19     
==========================================
+ Hits         2110     2230     +120     
- Misses        355      377      +22     
  Partials        6        6              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[tusharpandey13]

Do we think that exporting openid-client polling configuration can be useful here instead of hardcoding the default config?
https://github.com/panva/openid-client/blob/main/docs/interfaces/BackchannelAuthenticationGrantPollOptions.md

[guabu]

Thanks for the reviews!

Do we think that exporting openid-client polling configuration can be useful here instead of hardcoding the default config?
https://github.com/panva/openid-client/blob/main/docs/interfaces/BackchannelAuthenticationGrantPollOptions.md

We might want to consider that in the future if/when the use case arises but for the time being I would say it's better to keep the surface area of the API limited.

Would it make more sense to use auth0-auth-js for CIBA now if that's what the sdk is going to end up using?

We chatted about this and decided to rely on openid-client directly since that's what auth0-auth-js uses under the hood as well.