Quarkus OIDC and HTTPS improvements

[sberyozkin]

Description
We've agreed with Pedro that it is worth investing more time into testing and documenting that the code grants/introspection requests can go via HTTPS, and also possibly support a custom trust/key stores for the 2-way TLS. This follows a user query how to get Keycloak CA verified.

CC @pedroigor

[sberyozkin]

We have also discussed the security of the various client authentication methods with @emmanuelbernard at the forum. The proposal is to warn the users that a client secret may be leaked if auth-server-url is insecure HTTP one and either client_secret_basic or client_secret_post is used.

CC @pedroigor

The only possible side-effect is if OIDC is collocated somewhere in the same protected zone when HTTP is enough ?

[sberyozkin]

Or we can go even further and introduce the auto method selection, example, if it is HTTP and OIDC supports client_server_basic, client_server_post and client_server_jwt then we auto select client_server_jwt but I suspect that may have some unexpected side-effects, so we probably should keep to _basic as a default and then let users to choose based on their requirements

[sberyozkin]

I'm going to close this one because we have a test confirming the HTTPS connection works now, we can reopen more specific TLS related issues going forward