CXH-1522: add OAuth 2.0 DPoP support

[al-conductorone]

Adds DPoP to the OAuth setup so the connector works against Okta's new default of requiring DPoP on token requests. Existing OAuth customers without the toggle keep working unchanged.

• Risk: rolling back while Okta's Require-DPoP toggle is ON will break the older connector. Disable the toggle first if downgrading.
• New telemetry header x-okta-user-agent-extended: isDPoP:true appears in Okta system logs and downstream SIEMs.
• Breaking changes: none.

[linear-code]

CXH-1522

[github-actions]

Connector PR Review: CXH-1522: add OAuth 2.0 DPoP support

Blocking Issues: 0 | Suggestions: 0 | Threads Resolved: 0
Review mode: incremental since 6fd70e7
View review run

Review Summary

The new commits add a clock-skew diagnostic hint to invalid_dpop_proof and invalid_client error messages, and wrap context-cancellation and token-decode errors with proper gRPC status codes (Canceled, DeadlineExceeded, Internal, Unauthenticated) instead of raw Go errors. The test for leader-cancel propagation is updated to assert codes.Canceled and now correctly closes the release channel in failure paths to prevent goroutine leaks. All changes are clean with no new issues found.

Security Issues

None found.

Correctness Issues

None found.

Suggestions

None.

[github-actions]

No blocking issues found.

[github-actions]

No blocking issues found.

[github-actions]

No blocking issues found.

[github-actions]

No blocking issues found.

[github-actions]

No blocking issues found.

[github-actions]

No blocking issues found.

[github-actions]

No blocking issues found.

[FeliLucero1]

DRY: tokenSource.nonceFunc() and dpopRoundTripper.nonceFunc() are identical in shape

[github-actions]

No blocking issues found.