Validate signed software_statements in client registration

[sandhose]

This should allow us to deduplicate client registrations, and therefore consider multiple instances of the same client to be the same client as they present the same software_statement.

The software statement should self-contain informations on how it should be verified. This should be done through the same proof-of-possession semantics defined in RFC7800, meaning that the JWT header should include a cnf field containing the JWK or a JWKS URI.

My plan is to:

• deliver the same client_id for the same client at the same version
• deliver different client_ids for the same client at different version, but group them in terms of user consent/UI. We would display the consent screen again only if something significant changed in the client metadata (like any of the tos_uri/privacy_uri/client_uri changed)

MAS should consider that the client is the same (but not necessarily the same version) if (header.cnf, payload.software_id) is the same.
It should consider it is the same version (therefore the same client_id) if (header.cnf, payload.software_id, payload.software_version) is the same.

[matrixbot]

For your information, this issue has been copied over to the Element fork of matrix-authentication-service: element-hq/matrix-authentication-service#1943