[HTTP AUTH SPIKE - do not merge yet] Add HTTP transport with JWT middleware and configuration updates

[keremgocen]

• adds temporary helper flags
• ResourceIdentifier in config now we try to validate it in JWT's registeredClaims (audience in auth provider)
• fixes RFC 9728, the protected resource metadata header from Bearer realm= to Bearer resource_metadata=
• adds native corsMiddleware to allow all origins, we should disable this in main I think?
• updates golangci-lint config to complain about unused stuff and todo notes
• adds RBAC on tool calls via external auth roles and user permissions in the JWT

[Note] We are not planning to merge the extra auth flow endpoints apart from the changes in the handleProtectedResourceMetadata. This PR is for the rest of the team to test the auth changes locally.

[irene221b]

	// Redirect to Auth0 callback endpoint (typically not used, but for completeness)
	auth0URL := fmt.Sprintf("https://%s/login/callback?%s", s.config.Auth0Domain, r.URL.RawQuery)

How restricted is r.URL.RawQuery is? Can someone set it to ?#redirect=www.fake-target.site to achieve a redirect here?

[keremgocen]

How restricted is r.URL.RawQuery is? Can someone set it to ?#redirect=www.fake-target.site to achieve a redirect here?

Good call, as of now, it looks like both /authorize and /callback handlers are vulnerable to open redirect attacks, but we are not planning to merge these changes to main.

According to the MCP authorisation spec I was only expecting to implement the GET /.well-known/oauth-protected-resource endpoint, which returns the protected resource metadata per RFC9728. But I noticed vscode MCP client is actually calling these auth flow endpoints on the MCP server as well (it should call the auth server directly). We are trying to figure out why and if there's anything missing with our config, so hopefully everything in this PR apart from the resource metadata endpoint will be deleted.

(meanwhile I'll convert this PR to draft as well, thanks for the security ping😂)

[MacondoExpress]

I have to test it with an IDP, but from reading seem the flow we are expecting, all the comments are nitpicky comments!

[MacondoExpress]

In the case we want to merge this, I would move the flags logic outside the main file

[MacondoExpress]

I would remove these icons as they may create unnecessary friction when integrating with external services

[MacondoExpress]

Not sure if it's worth changing or adding a FIXME/TODO comment but in the future this URL could be:
"https://resource.example.com/.well-known/oauth-protected-resource" - therefore with a different protocol and optional port

[MacondoExpress]

Extremely nitpick, but if you think it could be helpful (I don't) the format of WWW-Authenticate is defined by the RFC 6750 but the resource_metadata value is defined by the https://datatracker.ietf.org/doc/html/rfc9728/#section-5.1