feat: implement RFC 6750 Bearer token authentication (#18644)

# Add RFC 6750 Bearer Token Authentication Support

This PR implements RFC 6750 Bearer Token authentication as an additional authentication method for Coder's API. This allows clients to authenticate using standard OAuth 2.0 Bearer tokens in two ways:

1. Using the `Authorization: Bearer <token>` header
2. Using the `access_token` query parameter

Key changes:

- Added support for extracting tokens from both Bearer headers and access_token query parameters
- Implemented proper WWW-Authenticate headers for 401/403 responses with appropriate error descriptions
- Added comprehensive test coverage for the new authentication methods
- Updated the OAuth2 protected resource metadata endpoint to advertise Bearer token support
- Enhanced the OAuth2 testing script to verify Bearer token functionality

These authentication methods are added as fallback options, maintaining backward compatibility with Coder's existing authentication mechanisms. The existing authentication methods (cookies, session token header, etc.) still take precedence.

This implementation follows the OAuth 2.0 Bearer Token specification (RFC 6750) and improves interoperability with standard OAuth 2.0 clients.

scripts/oauth2/test-mcp-oauth2.sh

@@ -170,6 +170,53 @@ else
 	echo -e "${RED}✗ Token refresh failed${NC}\n"
 fi
 
+# Test 6: RFC 6750 Bearer Token Authentication
+echo -e "${YELLOW}Test 6: RFC 6750 Bearer Token Authentication${NC}"
+ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')
+
+# Test Authorization: Bearer header
+echo -e "${BLUE}Testing Authorization: Bearer header...${NC}"
+BEARER_RESPONSE=$(curl -s -w "%{http_code}" "$BASE_URL/api/v2/users/me" \
+	-H "Authorization: Bearer $ACCESS_TOKEN")
+
+HTTP_CODE="${BEARER_RESPONSE: -3}"
+if [ "$HTTP_CODE" = "200" ]; then
+	echo -e "${GREEN}✓ Authorization: Bearer header working${NC}"
+else
+	echo -e "${RED}✗ Authorization: Bearer header failed (HTTP $HTTP_CODE)${NC}"
+fi
+
+# Test access_token query parameter
+echo -e "${BLUE}Testing access_token query parameter...${NC}"
+QUERY_RESPONSE=$(curl -s -w "%{http_code}" "$BASE_URL/api/v2/users/me?access_token=$ACCESS_TOKEN")
+
+HTTP_CODE="${QUERY_RESPONSE: -3}"
+if [ "$HTTP_CODE" = "200" ]; then
+	echo -e "${GREEN}✓ access_token query parameter working${NC}"
+else
+	echo -e "${RED}✗ access_token query parameter failed (HTTP $HTTP_CODE)${NC}"
+fi
+
+# Test WWW-Authenticate header on unauthorized request
+echo -e "${BLUE}Testing WWW-Authenticate header on 401...${NC}"
+UNAUTH_RESPONSE=$(curl -s -I "$BASE_URL/api/v2/users/me")
+if echo "$UNAUTH_RESPONSE" | grep -i "WWW-Authenticate.*Bearer" >/dev/null; then
+	echo -e "${GREEN}✓ WWW-Authenticate header present${NC}"
+else
+	echo -e "${RED}✗ WWW-Authenticate header missing${NC}"
+fi
+
+# Test 7: Protected Resource Metadata
+echo -e "${YELLOW}Test 7: Protected Resource Metadata (RFC 9728)${NC}"
+PROTECTED_METADATA=$(curl -s "$BASE_URL/.well-known/oauth-protected-resource")
+echo "$PROTECTED_METADATA" | jq .
+
+if echo "$PROTECTED_METADATA" | jq -e '.bearer_methods_supported[]' | grep -q "header"; then
+	echo -e "${GREEN}✓ Protected Resource Metadata indicates bearer token support${NC}\n"
+else
+	echo -e "${RED}✗ Protected Resource Metadata missing bearer token support${NC}\n"
+fi
+
 # Cleanup
 echo -e "${YELLOW}Cleaning up...${NC}"
 curl -s -X DELETE "$BASE_URL/api/v2/oauth2-provider/apps/$CLIENT_ID" \