Missing DPoP support

Private-key signing of access tokens support would be nice, to support [DPoP](https://oauth.net/2/dpop/).

Although still in draft, there's already a Java based implementation in [Nimbus](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/master/src/main/java/com/nimbusds/oauth2/sdk/dpop/), which should be license-compatible.