Add authorization and callback handlers for authserver

[jhrozek]

This patch implements the OAuth 2.0 authorization code flow handlers for the authserver.

The authorize handler validates incoming requests via fosite, generates cryptographic secrets for upstream correlation (state, PKCE verifier, nonce), stores the pending authorization, and redirects clients to the upstream identity provider.

The callback handler receives the upstream response, exchanges the authorization code using the stored PKCE verifier, resolves the user identity through the UserResolver which maps provider subjects to internal users, stores the upstream tokens with session binding, and issues our own authorization code back to the client. Both handlers use fosite's RFC 6749 compliant error responses and properly clean up state on failure.

These handlers integrate into the authserver as the core authentication entry points, sitting between downstream clients and the upstream identity provider. They rely on the storage layer for persisting pending authorizations, upstream tokens, users, and provider identities.

The UserResolver provides identity mapping by maintaining a link between upstream provider subjects and internal user IDs, enabling a single user to potentially link multiple provider identities. The handlers connect to the upstream OAuth2Provider interface which abstracts the specific identity provider implementation, allowing the authserver to work with different OIDC providers without handler changes.

Large PR Justification

The two handlers provide the oauth flow, reviewing authorize and callback in isolation would I think be just harder even if less code. What could be split was the UserResolver interface and its tests, but that's a small piece of the PR, line-wise.

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

❌ Patch coverage is 79.28287% with 52 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.03%. Comparing base (4110032) to head (0d5ff40).

Files with missing lines	Patch %	Lines
pkg/authserver/server/handlers/callback.go	73.57%	28 Missing and 9 partials ⚠️
pkg/authserver/server/handlers/authorize.go	75.40%	12 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3370      +/-   ##
==========================================
+ Coverage   64.94%   65.03%   +0.09%     
==========================================
  Files         375      378       +3     
  Lines       36603    36849     +246     
==========================================
+ Hits        23771    23965     +194     
- Misses      10962    11002      +40     
- Partials     1870     1882      +12     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.