Implement token-exchange and downstream authenticator support in ToolHive proxy

[yrobla]

Add a token-exchange flow to the ToolHive proxy so it can: accept an incoming client token, perform an OAuth2 token-exchange (RFC-8693) with the downstream identity provider, and inject a per-call or per-session downstream token (e.g. THV-HEADER: or Authorization: Bearer ) into requests forwarded to modified MCP servers or a network wrapper.
It will enable remote MCP tooling to call third-party APIs on behalf of a user without requiring the MCP server itself to hold user long-lived tokens.

• Implement code to manage token exchange flow
• Unit & integration tests cover exchange happy path, exchange failure handling, and stale token rotation
• Documentation page / README describing the configuration and workflow. Document possible security issues with the approach (see MCP security best practices)
• To include IdP admin configuration: document what setup steps are required on the identity provider side (e.g. Okta, Azure AD) so an enterprise admin can connect their IdP to ToolHive, including creating an OAuth application, enabling token-exchange grant, defining audience/scope mappings, and supplying the token endpoint and client credentials to the THV configuration.