Azure Entra `client_assertion` with rather than `client_secret` for authentication

[adam1658]

Microsoft Entra supports (and recommends for production) the use of client certificates rather than client secrets for authorization token / etc.

To achieve this you need to omit the client_secret parameter, set the client_assertion_type parameter to urn:ietf:params:oauth:client-assertion-type:jwt-bearer and the client_assertion parameter to a jwt signed with the certificate. The following article details a little of it: https://melmanm.github.io/misc/2023/12/02/article12-azure-ad-client-secret-vs-certificate.html

I'm not sure that I should request that these params be constructed by this library, but maybe it would be good to be able to construct these search params myself and pass them through - or maybe pass in a callback that can add params to the URLSearchParams in validateAuthorizationCode, instead of usiing client_id.

For context I'm using remix-auth-microsoft, which uses remix-auth-oauth2, which uses this library (and uses the Client directly, not using any of the providers). If this idea get's any traction here then I'd be going to talk to the authors of those libraries about exposing any of this new functionality when they construct the Client.

[pilcrowonpaper]

I don't have plans to support different authentication methods in the current version, but I plan to add customizable fetch() (and thus authentication) via a TokenEndpointClient interface in a future version.