Get a kerberos TGT via AAD

[dmulder]

We can obtain a TGT by authenticating via a ConfidentialClient, then passing the query parameter “tgt=true” during an authentication. Perhaps we can implement a himmelblau kinit command, which will cache the tgt, and a kerberos wrapper library which forwards our kerberos requests via ms-kkdcp.

Description from Steve Syfuhs:
"You’re handed a TGT during AAD auth by appending the query parameter “tgt=true”, and then issue a TGS-REQ using that TGT to https://login.microsoftonline.com/<tenant_id>/kerberos using [MS-KKDCP]."

[dmulder]

This depends on #29 because we can't pass the tgt parameter during the auth using Microsoft's msal.

[dmulder]

It also depends on #35 because only a ConfidentialClient can obtain tgts.

[dmulder]

Perhaps a good way to handle this will be to create a kinit utility which fetches the tgt using MSAL. After which everything else will be handled the same as usual.

[dmulder]

This is partially implemented by MR#46. We now have the TGT in the PRT, we just aren't doing anything with it yet (and the tgt is encrypted still). JWE decryption needs to be implemented in compact-jwt for us to get the TGT.

[dmulder]

The cloud and on-prem TGTs are now decrypted and residing within the PRT. Now to just do something with them!