[DRAFT] [OIDC 17] Add token API for trading bearer token for API key

[joelverhagen]

I will wait on merging this PR until more validation and review is done.

Progress on #10212.
Depends on #10306.

This adds a new token API for trading a bearer token for an API key.

A sample request is this:

POST /api/v2/token HTTP/1.1
Host: www.nuget.org
Authorization: Bearer {OIDC token}
Content-Type: application/json

{
    "token_type": "api_key",
    "username": "{username of the trust policy’s controlling user}"
}

A sample response is this:

HTTP/1.1 200 OK
Content-Type: application/json

{
   "token_type": "api_key",
   "expires": "{ISO 8601 timestamp of expiration}",
   "api_key": "{short lived API key in clear text}"
}

The endpoint expects no other existing auth mechanism (no cookie auth, no API key auth) and will reject the request if present.

In the future, the full /api/v2/token URL will be discovered by the client via a new resource in the service index. For now, it will be hard coded in custom client scripts.

The {OIDC token} in the request message will be an Entra ID token for a service principal. In the future this can be more token types such as GitHub Actions OIDC tokens.

The username is the username of the trust policy’s controlling user, NOT the package owner scope. This aligns with the current API key design where API keys are only owned by users but can be scoped to either users or organizations. I am not confident on this decision but given this is a "closed beta" feature, we can try it and see how it goes, and change later with minimum disruption.