feat: implement RFC 6750 Bearer token authentication (#18644)

# Add RFC 6750 Bearer Token Authentication Support

This PR implements RFC 6750 Bearer Token authentication as an additional authentication method for Coder's API. This allows clients to authenticate using standard OAuth 2.0 Bearer tokens in two ways:

1. Using the `Authorization: Bearer <token>` header
2. Using the `access_token` query parameter

Key changes:

- Added support for extracting tokens from both Bearer headers and access_token query parameters
- Implemented proper WWW-Authenticate headers for 401/403 responses with appropriate error descriptions
- Added comprehensive test coverage for the new authentication methods
- Updated the OAuth2 protected resource metadata endpoint to advertise Bearer token support
- Enhanced the OAuth2 testing script to verify Bearer token functionality

These authentication methods are added as fallback options, maintaining backward compatibility with Coder's existing authentication mechanisms. The existing authentication methods (cookies, session token header, etc.) still take precedence.

This implementation follows the OAuth 2.0 Bearer Token specification (RFC 6750) and improves interoperability with standard OAuth 2.0 clients.

coderd/oauth2.go

@@ -431,9 +431,8 @@ func (api *API) oauth2ProtectedResourceMetadata(rw http.ResponseWriter, r *http.
 		AuthorizationServers: []string{api.AccessURL.String()},
 		// TODO: Implement scope system based on RBAC permissions
 		ScopesSupported: []string{},
-		// Note: Coder uses custom authentication methods, not RFC 6750 bearer tokens
-		// TODO(ThomasK33): Implement RFC 6750
-		// BearerMethodsSupported: []string{}, // Omitted - no standard bearer token support
+		// RFC 6750 Bearer Token methods supported as fallback methods in api key middleware
+		BearerMethodsSupported: []string{"header", "query"},
 	}
 	httpapi.Write(ctx, rw, http.StatusOK, metadata)
 }