Parse and validate DPoP Tokens

What does this MR do and why?

ℹ️ This MR needs the following MRs merged first:

• Add DpopToken class (!173071 - merged)
• New DpopTokenUser class (!173662 - merged)

See the epic (Allow users to require demonstrated proof of po... (&14383)) for context, pre-work, and other related issues.

This MR is part 3 of:

1. Add DpopToken class (!173071 - merged)
2. New DpopTokenUser class (!173662 - merged)
3. Parse and validate DPoP Tokens (!166206 - merged)

This MR is to provide logic that can:

1. Validate that DPoP token (a signed JWT) is well formed according to the spec
   • E.g. each part of the token has the correct number of parts, the signing algorithm is supported, the timestamps are recent enough, that a valid key ID is present, etc etc
2. Validate that a DPoP token was correctly signed with one of a user's valid and current signing keys according to the spec. Specifically:
   • the kid will be the base64 url encoding of the SHA256 hash of the public key (added to a user’s profile) corresponding to the private key that the user used to sign their DPoP proof JWT
   • the ath claim is the base64 url encoding of the SHA256 hash of the personal access token (PAT) used when generating the DPoP proof. We use this claim to verify if the hash of the PAT in the DPoP proof matches with the hash of the PAT sent in the API request, thereby pinning the PAT to a specific public key of the user

How to set up and validate locally

Currently, this MR only adds the DPoP authentication service, which will be used by the REST/GraphQL API. To see the planned usage, please see Add DPoP checks in GraphQL and API requests (!169013 - merged).