fix(core): Set token endpoint manually if client creds provided in server sdk_config (#1780)

### Proposed Changes

We run the server sdk in IPC mode so it does not reach out to well-known
on instantiation because well-known isnt running yet. This means the
token endpoint is never set. So if a service using the server sdk wanted
to do a decrypt for example (a request that needs an auth token) they
would get an error.
This will manually set the token endpoint on instantiation using the
issuer provided in the yaml config.

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: elizabethhealy

service/pkg/server/start.go

@@ -10,6 +10,7 @@ import (
 	"syscall"
 
 	"github.com/opentdf/platform/sdk"
+	"github.com/opentdf/platform/service/internal/auth"
 	"github.com/opentdf/platform/service/internal/config"
 	"github.com/opentdf/platform/service/internal/server"
 	"github.com/opentdf/platform/service/logger"
@@ -164,6 +165,14 @@ func Start(f ...StartOptions) error {
 	// If client credentials are provided, use them
 	if cfg.SDKConfig.ClientID != "" && cfg.SDKConfig.ClientSecret != "" {
 		sdkOptions = append(sdkOptions, sdk.WithClientCredentials(cfg.SDKConfig.ClientID, cfg.SDKConfig.ClientSecret, nil))
+
+		oidcconfig, err := auth.DiscoverOIDCConfiguration(ctx, cfg.Server.Auth.Issuer, logger)
+		if err != nil {
+			return fmt.Errorf("could not retrieve oidc configuration: %w", err)
+		}
+
+		// provide token endpoint -- sdk cannot discover it since well-known service isnt running yet
+		sdkOptions = append(sdkOptions, sdk.WithTokenEndpoint(oidcconfig.TokenEndpoint))
 	}
 
 	// If the mode is all, use IPC for the SDK client