[BUG][AUTH]: OAuth providers return opaque tokens instead of JWT tokens

[bradmcnew]

Problem

OAuth providers that support both opaque and JWT access tokens (such as BetterAuth, Auth0, etc.) return
opaque tokens by default when the RFC 8707 resource parameter is not included in the token request.

This causes MCP servers expecting JWT tokens to fail with "Invalid Compact JWS" errors when attempting
to verify the opaque token.

Current Behavior

1. User initiates OAuth flow via /oauth/authorize/{gateway_id}
2. OAuth provider redirects to /oauth/callback with authorization code
3. Context Forge exchanges code for access token WITHOUT resource parameter
4. OAuth provider returns opaque token (single string, 1 part)
5. MCP server attempts JWT verification → fails with ERR_JWS_INVALID

Expected Behavior

1. Context Forge includes RFC 8707 resource parameter in token request
2. OAuth provider returns JWT token (3 parts: header.payload.signature)
3. MCP server successfully verifies JWT token

Proposed Solution

Implement RFC 8707 Resource Indicators support:

• Set resource parameter to gateway.url (the MCP server URL)
• Include resource in both authorization URL and token exchange request
• Works automatically for all OAuth gateways, no configuration needed

Impact

• Affects all OAuth-enabled gateways using providers that support both token types
• No breaking changes - transparent enhancement
• Enables JWT token verification for MCP servers

RFC Reference

• RFC 8707: Resource Indicators for OAuth 2.0