Accept JWT from Service Clients and return authorization token

[seanmonstar]

Following Google's lead, Service Clients will generate JWTs to request data for a specific user, signing it with the private key that was gotten during registration.

Algorithms:

• RSA SHA-256 (wide support)
• ED25519 (wishlist. smaller, faster, and more secure than RSA. less library support)

Example JavaScript of making the JWT:

var now = Math.floor(Date.now() / 1000);
var header = { alg: 'RS256', typ: 'JWT' };
var claims = {
  iss: clientId,
  scope: 'profile:email',
  aud: 'https://oauth.accounts.firefox.com/v1/authorization',
  iat: now,
  exp: now + (60 * 5),
  sub: userId + '@accounts.firefox.com'
};

var token = base64(JSON.stringify(header)) + '.' + base64(JSON.stringify(claims));
var sig = rsa256(Buffer(token, 'base64'), privateKey);
var jwt = token + '.' + base64(sig);

The jwt calculated above would be used as an argument when requesting an authorization token.

POST /v1/authorization?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=jwt

No additional parameters are required (and are ignored (illegal?)), as they are contained within the signed assertion claim set. The authorization_token will expire, just as when a typical client uses a refresh token.

[rfk]

@seanmonstar I went ahead and made a "blocked" column in waffle, which this now shows up in. I'm not 100% clear on the intended semantics of "blocked" here, and how it differs from "waiting on review bandwidth". But we can figure that out as we go.