support pkce when fetching user certificates

[havetisyan]

Description

improve security posture for user certificates:

UserCertificateProvider:

• audience is now required
• token endpoints must be https
• if no secret, then pkce code verifier is required
• attestation data must be code={code}&code_verifier={code_verifier} format

Idp go library:

• state value is verified on return
• option pkce option - default true
• cert stored with 600 mode

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Code Review

This pull request implements PKCE support for the IdP authentication flow in both Go and Java libraries, enhancing security for user certificate requests. Key updates include the generation and verification of code challenges and verifiers, mandatory audience configuration, and enforcing HTTPS for IdP endpoints. Additionally, file permissions for saved certificates in the Go utility were restricted to 0600. Review feedback suggests updating the documentation for the verifier generation function to reflect its new parameters and removing the non-standard inclusion of the 'state' parameter in the token exchange request.