Add OIDC Token Exchange For Org Admin OAuth Access

[shepilov]

Context

The B2B admin app needs to create shared drives on an organization's Cozy instance directly from the browser. The admin user is authenticated by an external OIDC provider, but the target organization Cozy expects normal Cozy OAuth credentials.

Simple flow:

• Admin frontend calls the target org Cozy directly
• Cozy validates the external id_token
• Cozy creates a normal OAuth client on the org instance
• Cozy returns standard OAuth credentials usable by cozy-client

Changes:

• Added POST /auth/token_exchange on the normal API.
• Kept /auth/* globally blocked by generic CORS, and added dedicated CORS handling only for /auth/token_exchange.
• Restricted token-exchange CORS to origins under the target instance OrgDomain.
• Added CSP connect-src allowances for:
  • api-login-{orgId}.{base-domain}
  • {orgId}.{base-domain}
  • {orgId}.{orgDomain}
• Implemented token exchange validation:
  • OIDC signature / issuer / audience checks
  • org_id must match the target instance
  • org_role must be owner or admin
• Returned a standard OAuth response extended with:
  • client_id
  • client_secret
  • registration_access_token
• Bound exchanged OAuth clients to OIDC sid when present, so they can be revoked by backchannel logout.