Remove `client_metadata_uri` authorization parameter

[jogu]

There are undocumented & unsolved security issues around client_metadata_uri ( #14 ) and further concerns that it's not clear what client metadata parameters can actually be used in it ( #17 ).

There's a further suggestion to decide an alternative way of fetching client metadata from a .well-known location ( #82 ).

Given all this I would like to propose we just remove client_metadata_uri from the specification entirely.

[peppelinux]

I fully support this proposal.

Thank you @jogu for bringing this up.

[bc-pi]

I am in favor (or favour) of the removal of client_metadata_uri

[David-Chadwick]

I am also in favour of its removal

[awoie]

I am also in favour of its removal

[jogu]

This was discussed on both working group calls this week with no objections raised.

As a final check I've sent a message sent to mailing list seeking to confirm that removing it won't cause problems for any implementors:

https://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/Week-of-Mon-20240701/000392.html

If we don't get any negative feedback by a week from today we will open a PR to remove it.