feat(pgwire): implement OAuth audience validation

[yuhao-su]

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

What's changed and what's your intention?

This PR implements OAuth audience validation. Fixed #23126 .

Summary of changes:

• Added OAuth audience (aud) validation functionality

How does this PR work:
The changes add validation logic to ensure that OAuth tokens contain the correct audience claim before accepting authentication.

Checklist

• I have written necessary rustdoc comments.
• I have added necessary unit tests and integration tests.
• I have added test labels as necessary.
• I have added fuzzing tests or opened an issue to track them.
• My PR contains breaking changes.
• My PR changes performance-critical code, so I will run (micro) benchmarks and present the results.
• I have checked the Release Timeline and Currently Supported Versions to determine which release branches I need to cherry-pick this PR into.

Documentation

• My PR needs documentation updates.

Release note

https://docs.risingwave.com/sql/commands/sql-create-user

We need to update this page to tell users when use oauth, the jwt should contains a aud claim with value urn:risingwave:cluster:your_cluster_id

🤖 Generated with Claude Code

[yezizp2012]

Seems to solve the same issue as this one 🥵 : #23143 .

[yezizp2012]

Suggested change

let _header = decode_header(jwt)?;

[yezizp2012]

Please add a user-facing label to this PR, along with any necessary documentation. Especially the audience format, which will be used to generate the token.

With aud becoming a required field after this PR, Cloud must patch and deploy a version that generates tokens with the audience in the specified format, prior to any releases. Cc @xuhui-lu .
And @yuhao-su, we also need a way to expose the internal cluster_id to Cloud, perhaps via a SQL function.