feat: support OIDC id_token

- generate JWT id_token in token exchange
- store optional nonce in authorization object
- switch to RS256 algorithm for JWT signature
- add JWKs endpoint to provide OIDC clients with public keys

migrations/all.sql

@@ -33,6 +33,7 @@ CREATE TABLE authorizations (
     client_id           TEXT NOT NULL,
     scopes              TEXT, -- json array of app scope (permissions)
     code                TEXT,
+    nonce               TEXT, -- code used to associate client session to id_token
 
     last_used_at        DATETIME,
     created_at          DATETIME NOT NULL