App Auth: Replace HTTP Signature and consistency check

[melegiul]

See #63 (comment)

Most of it is already done. But still the HTTP Signatures replacement and the consistency check on setup (e.g. on setup a signature is sent and checked with the supplied public key) is open.

Open Issues

• Replace HTTP Signatures with verification of client-side generated JWT
• Verify code challenge on Action-Token-endpoint (authenticate) from the code_verifier query parameter

Todo

• Delete login attempt/challenge after Action-Token-endpoint (for authenticate) was succesful called
• Implement auto refresh of the Setup/Authenticate Keycloak page via Server Sent Events
• Response payload of Get-Challenges-endpoint returns a list of challenges instead of a single one
• Update Error Responses
• Get Challenges and Reply Challenge Endpoint need to return the 409 error also when there is no login attempt. Otherweise the client does'nt know if the authenticator needs to get removed.
• Remove OpenAPI spec
• Rework documentation (readme)
• Return clientName and clientUrl in payload of Get-Challenges-endpoint
• Consistency check on setup
• Reduce expiration for the app-auth-action-token to 60 seconds
• Make expiration for app-auth-action-token configurable Admin UI
• Rename attribute secret in Challenge DTO to codeChallenge
• Remove device_id query parameter on Get-Challenges-endpoint retrieve it from the signature