Populate 'ath' claim in DPoP when access token is used

[bifurcation]

Fixes #406

According to draft-03 of DPoP:

   When the DPoP proof is used in conjunction with the presentation of
   an access token, see Section 7, the DPoP proof also contains the
   following claim:

   *  "ath": hash of the access token (REQUIRED).  The value MUST be the
      result of a base64url encoding (with no padding) the SHA-256 hash
      of the ASCII encoding of the associated access token's value.

The DPoP implementation in this repository currently does not provide the ath claim when used with an access token (e.g., in userinfo() and requestResource()). This PR updates the DPoP proof construction code so that if an access token is provided, then the ath parameter is included in the proof.

[bifurcation]

I have also verified that this branch interoperates with node-oidc-provider, using the scripts linked in #406.

[panva]

@bifurcation thank you for the PR, I've made a few small adjustments and will release a new minor (this is a feat, not a fix) shortly.