FAPI RP tests don't check length of state/nonce

As per various background in https://github.com/openid-certification/oidctest/issues/134 and https://github.com/OpenBanking-Brasil/specs-seguranca/issues/160 there's much confusion over state/nonce.

As things currently stand the FAPI tests only require the OP to support a 128 character state and 10 character nonce.

We should probably raise interoperability warnings in the RP tests if the RP exceeds either of these limits, with wording something like:

"Your [state/nonce] is characters, this may cause interoperability issues as the Authorization Server conformance tests only require the OP to support as [128/10] character [state/nonce]"

This would only be a warning (not a fail) as there's no normative text in the specs to backup these limits as per above GitHub issues.

(It kind of feels like maybe we should be testing something slightly longer than 10 for nonce - it would be interesting to know what kind of length nonces we have actually seen certified clients use.)