Fixes #42115.

This PR adds a complete DPoP token verification support, with tests.

DPoP is currently restricted to the public clients, which explains why the test structure is created around `FrontendResource` emulating SPA.

Support for the custom DPoP nonce providers can be offered in the future.

All in all, the implementation is just a translation of https://datatracker.ietf.org/doc/html/rfc9449#name-checking-dpop-proofs, goes via every recommended verification step:

• DPoP header exists
• Its HTTP method and URIs are correct
• It has non-private public JWK key and the proof signature is correct
• It has an access token hash which matches the provided access token
• The access token confirmation claim has a JWK thumbprint which matches the DPoP's public jwk thumbprint

Some tuning for the URI matches might be needed going forward but should work fine for typical cases.

To support the test cases I updated Keycloak Dev service to enable experimental features for users be able to use DPoP, etc.

The actual tests can be improved further, I'd like to enable in a separate PR to report exception causes not only in devmode but also in test mode.