Add oidc device flow after direct flow

[DrDaveD]

This adds support for OIDC device flow on top of pr #318. #318 has to be committed first and all its changes are included here. If you'd like to see just the changes compared to that pr, see my own pr 1.

Device flow has several advantages over direct callback mode:

1. There's no need to configure allowed redirect uris for the client.
2. There's no need to configure firewalls to allow the Authorization Server to call back to Vault.
3. There's no need for the Authorization Server to recognize the CA cert for Vault.
4. The URL that the user sees is simpler.

So it's worth having device flow even compared to direct callback mode, although direct callback mode is good when Authorization Servers don't support device flow.

Device flow is enabled with this implementation by setting the role configuration callback_mode=device. The device authorization endpoint is auto-discovered. This also adds an additional optional role configuration option poll_interval which defaults to 5.

The client API is slightly extended, to add an optional user_code option in the auth response, and to add a slow_down reply to a poll request. A redirect_uri passed in to the auth API is ignored in device flow.

This is essentially the same PR as hashicorp/vault-plugin-auth-jwt#131 which many people have expressed an interest in but has been sitting unmerged for a few years.