Add better support for JWT bearer token authentication in openidconnectbearer mode to enable external API calls

[tylerjmchugh]

Currently, when users authenticate via JWT bearer tokens with the openidconnectbearer auth type, the application cannot access the original token to pass to external APIs. The previous approach relied on OAuth2AuthenticationToken with OAuth2AuthorizedClientManager, which requires an authorized client in the application. This fails for bearer token users since they are external (never logged into the application directly) and have no authorized client.

Additionally, bearer token authentication is stateless with no server session. The JWT token is lost after parsing into an OAuth2User principal, making it unavailable for subsequent external API calls.

This PR aims to fix this by:

• Refactoring token parsing to return Spring's native Jwt object instead of Map, preserving the original token throughout the request lifecycle
• Replacing OAuth2AuthenticationToken with JwtAuthenticationToken, which stores the decoded Jwt containing the original token accessible via getToken().getTokenValue()
• Updating security utilities to detect bearer token authentication and return the token directly without requiring an authorized client
• Consolidating authentication type handling (Keycloak, OIDC, OAuth2, JWT) across listeners and criteria with unified username extraction
• Adding required Spring Security OAuth2 dependencies

This enables the openidconnectbearer auth type to make authenticated external API calls with the user's token.

Checklist

• I have read the contribution guidelines
• Pull request provided for main branch, backports managed with label
• Good housekeeping of code, cleaning up comments, tests, and documentation
• Clean commit history broken into understandable chucks, avoiding big commits with hundreds of files, cautious of reformatting and whitespace changes
• Clean commit messages, longer verbose messages are encouraged
• API Changes are identified in commit messages
• Testing provided for features or enhancements using automatic tests
• User documentation provided for new features or enhancements in manual
• Build documentation provided for development instructions in README.md files
• Library management using pom.xml dependency management. Update build documentation with intended library use and library tutorials or documentation

[xiechangning20]

Looks like you're trying to get the username but this will actually return the subject of the principal, based on Spring java docs In our case, it will be the uuid from Keycloak
Sth like following might work but I have not tested it
authentication.getToken().getClaim(StandardClaimNames.PREFERRED_USERNAME)

[tylerjmchugh]

It should not be the subject as I set the name myself when I create the authentication in GeonetworkJwtAuthenticationProvider using the 3 arg constructor. The value comes from the extractUsername method which extracts the username from a list of options starting with the value configured in geonetwork.