authentication providers should check for valid hostnames before adding anything

[baywet]

The authentication provider should not add any auth information to a request that's not going to hosts we "know".
The AuthenticationProvider interface needs two more methods: Set/GetValidHostNames (hashset).
This then needs to be implemented in the base bearer authentication provider, which needs to check the hostname is present in that list before it adds the authorization header.
The request adapter interface needs to expose a getter to the authentication provider.
Finally, the constructor for the api client needs to set the value based on information available (hosts) in the OpenAPI description.