Document dynamic client auth

[TimothyBJacobs]

To use a dynamic client, make the same OAuth connection request but substitute a JWT Software Statement for the client_id parameter. At the moment, the JWT should be signed with HS256 and password as the secret ( this will be changed ).

The flow will continue as normal. When the user is redirected back to the redirect_uri it will include a client_id parameter in addition to authorization code or token.

[TimothyBJacobs]

An example software statement:

{
  "software_id": "A uuid",
  "redirect_uris": [
    "https://example.org/oauth"
  ],
  "client_name": "Your Client"
}

[TimothyBJacobs]

Software statements can now be unsecured, ie with a "none" algorithm instead of the dummy password we had.

I've also added a WP CLI command to assist in generating the software statement. Example usage:

usage: wp oauth2 create-software-statement <client_uri> [<software_id>] --client_name=<client_name> --redirect_uri=<redirect_uri> [--<field>=<value>]

$ wp oauth2 create-software-statement https://timothybjacobs.com --client_name="My App" --redirect_uri="https://timothybjacobs.com/oauth"
Generated software id: 9d2f6eba-2b66-4fbc-9d31-63edd7a6b2f9
Success: Generated Statement: "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJjbGllbnRfdXJpIjoiaHR0cHM6XC9cL3RpbW90aHliamFjb2JzLmNvbSIsInNvZnR3YXJlX2lkIjoiOWQyZjZlYmEtMmI2Ni00ZmJjLTlkMzEtNjNlZGQ3YTZiMmY5IiwicmVkaXJlY3RfdXJpcyI6WyJodHRwczpcL1wvdGltb3RoeWJqYWNvYnMuY29tXC9vYXV0aCJdLCJjbGllbnRfbmFtZSI6Ik15IEFwcCJ9."

It spits out a software id you can use as your client_id when making a connect request. Note the trailing . is part of the JWT.