feat: Add support for fetching rich consents

[sam-muncke]

Description

Adds the ability to retrieve additional consent information from Auth0's /rich-consents endpoint. This is required for certain flows such Client Initiated Backchannel Authentication (CIBA).

On receipt of a push notification, where required, additional consent can be obtained as follows:

Guardian
    .consent(forDomain: AppDelegate.guardianDomain, device: enrollment)
    .fetch(consentId: notification.transactionLinkingId, notificationToken: notification.transactionToken)
    .start{result in
        switch result {
        case .failure(let cause):
            // handle error
        case .success(let payload):
            // render consent information to user
    }
}

The user can then use the additional information in the consent record to decide whether to allow or reject the request.

Example of rich-consents binding message being rendered in the test app:

Requests to the /rich-consent endpoint require sender constraining via demonstrating proof of possession based on a modified version of the DPoP standard to ensure the access token is bound to the keys used for device enrollment. This change also extends the existing JWT encoding to be able to create a DPoP Proof JWT.

References

• OIDC CIBA Spec
• DPoP Spec

Testing

1. Requires CIBA flow enabled for you Auth0 tenant (currently in Beta).
2. Enable CIBA grant on your Auth0 application under application settings.
3. Using the TestApp included in this repo, configure Guardian MFA for iOS using APNs
4. Enroll the device for a user
5. Initiate a CIBA auth request
6. Device should receive a push notification, rendering a consent panel with the CIBA binding message.

• This change adds test coverage for new/changed/fixed functionality

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch