PoC: enforce upstream IdP session_expiry ceiling

[kishore7snehil]

Adds enforcement of the IPSIE session_expiry claim for enterprise connections.
When the connection is configured to honor an upstream IdP session ceiling, Auth0
includes a session_expiry claim (absolute Unix seconds) in the ID token. The SDK
reads it at login, stores it with the session, and enforces it on every session read.

Changes

Enforcement

• Reads session_expiry from userinfo / verified ID-token claims at
  complete_interactive_login and stamps it onto the internal session state.
• get_user() and get_session() return None once the ceiling is reached
  (silent — behaves like no session, so existing redirect-to-login fires).
• get_access_token() raises AccessTokenError with code session_expired
  (loud — checked before serving cache or refreshing; refresh is never attempted).
• Reaching the ceiling deletes the stored session before returning.
• 30s negative leeway for clock skew; integer-seconds comparison.
• Refresh-token grant preserves the original ceiling (not re-emitted on refresh).

Claims access

• session_expiry is surfaced on UserClaims, so it can be read via
  get_user() without triggering enforcement.

New / changed types & errors

• UserClaims.session_expiry: Optional[int]
• InternalStateData.session_expires_at: Optional[int]
• AccessTokenErrorCode.SESSION_EXPIRED = "session_expired"