add client credentials auth flow

[jasinner]

Extends TrustShell authentication to support Trustify instances that use Amazon Cognito in addition to existing Keycloak/Red Hat SSO.

Changes

• Client credentials flow: When OIDC_CLIENT_SECRET is set, TrustShell obtains tokens via the OAuth2 client_credentials grant—no browser or callback URL required. Falls back to the existing PKCE flow when the grant is unsupported.
• Configurable OIDC options: New environment variables for non-Keycloak providers:
  • OIDC_CLIENT_ID – app client ID (default: atlas-frontend)
  • OIDC_CLIENT_SECRET – enables client_credentials flow when set
  • OIDC_AUTH_PATH – auth path (Keycloak: auth, Cognito: authorize)
• Bug fix: Replaced resp.ok with resp.is_error for httpx compatibility (httpx.Response has no .ok attribute).

TPA / Cognito configuration

export TRUSTIFY_URL="https://your-tpa-instance.example.com"
export AUTH_ENDPOINT="https://your-cognito-domain.auth.region.amazoncognito.com/oauth2"
export OIDC_CLIENT_ID="your-client-id"
export OIDC_CLIENT_SECRET="your-client-secret"
export OIDC_AUTH_PATH="authorize" # only if using PKCE/browser flow