Investigate adding STS (OAuth2 Token-based) Authentication Support #1191
Description
Add standardized OAuth2 support (token exchange, STS-style flows) to ToolHive so it can act as an OAuth 2.0 resource server or token introspection proxy for MCP servers—extending beyond the current OIDC-only authentication.
ToolHive currently uses OIDC (JWT-based authentication) or opaque tokens, to confirm user identity and then authorizes actions using Cedar policies.
However, some deployment scenarios—such as client services, automated systems, or third-party integrations—often rely on OAuth2 access tokens, token exchanges (STS), or token introspection flows instead of full OIDC sign-in flows. Native support for these scenarios would make ToolHive much more flexible and compatible with OAuth2-first infrastructures.