[keycloak-dev] Updates to access code

[Stian Thorgersen]

I've completed all the pre-work required before storing AccessCode details in UserSessionProvider.

What's be done to AccessCode is:

* It no longer contains AccessToken. Instead it just contains the list of requested roles (intersection of client scope and user roles). The AccessToken is generated from this in the TokenService.codeToToken
* authMethod, usernameUsed and rememberMe has been moved to UserSessionModel
* list of RequiredActions have been changed to a single action. The action can be one of the required actions, oauth_grant, or nothing. A code can only be used for the action currently set on it. For example if the code is set to VERIFY_EMAIL that is the only thing it's useful for. Also added the oauth_grant action to make sure a user has verified the grants (if client obviously) before the code is active and can be used to obtain a token.
* expiration has been removed. Instead the timestamp and realm.getAccessCodeLifespan/getAccessCodeLifespanUserAction is used directly.

That's it. Next step is to the details in UserSessionProvider and only send the id as the code query param.

Question: is sending UUID + timestamp sufficient as the code, or should we sign it with JWSBuilder as well?