auth: lift oidc test stub into internal/testutil/oidcstub
feat(auth): forward-auth + OIDC bearer middleware with shared allowlist