feat: add per-user OAuth consent flow with identity selection and MCP authentication

[Pratham-Mishra04]

Summary

Implements a comprehensive per-user OAuth consent flow for MCP (Model Context Protocol) servers. This adds a multi-step authentication process where users can authenticate with upstream services (like Notion, GitHub) through a web interface before using MCP tools, replacing the previous runtime-only authentication approach.

Changes

• New consent flow architecture: Added TablePerUserOAuthPendingFlow to track OAuth state through multi-step consent screens
• Identity selection page: Users can choose between Virtual Key, User ID, or skip authentication entirely
• MCP services page: Shows available services and their connection status with one-click authentication
• Enhanced token management: Tokens are now linked to user identities and transferred between flow stages
• Improved error handling: Better distinction between "token not found" vs actual errors, with clearer messaging for missing user identity
• Database migrations: Added new tables and columns to support the consent flow
• MCP gateway integration: Direct context injection prevents header spoofing and enables proper identity tracking

Key design decisions:

• Flow proxy tokens (flow:<flowID>) temporarily store upstream tokens during consent
• Session reuse in token endpoint maintains consistency with upstream authentications
• Lazy authentication fallback when users skip identity selection

Type of change

• Feature

Affected areas

• Core (Go)
• Transports (HTTP)

How to test

1. Configure an MCP server with per_user_oauth authentication
2. Access the MCP endpoint without authentication - should receive 401 with OAuth discovery
3. Follow the OAuth flow through identity selection and service authentication
4. Verify tools work with the authenticated session

# Core/Transports
go version
go test ./...

Test the consent flow:

1. Start Bifrost with per-user OAuth MCP clients configured
2. Navigate to /mcp endpoint - should redirect to OAuth authorization
3. Complete the consent flow with Virtual Key or User ID
4. Verify MCP tools can access authenticated services

Screenshots/Recordings

The consent flow includes:

• Identity selection page with Virtual Key/User ID options
• MCP services page showing connection status
• Success/error pages with consistent Bifrost theming

Breaking changes

• Yes
• No

This is additive functionality that enhances the existing per-user OAuth system without breaking existing integrations.

Related issues

Enhances MCP per-user OAuth capabilities by providing a user-friendly consent interface instead of requiring runtime authentication prompts.

Security considerations

• Flow tokens are prefixed and time-limited (15 minutes)
• PKCE is used throughout the OAuth flows
• Identity context is injected directly (not via headers) to prevent spoofing
• Tokens are properly hashed and encrypted in storage
• Session tokens are securely transferred between flow stages

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable