[oauth] Support authorization servers with overly simple introspection endpoints

OAuth 2.0 only requires introspection endpoint to return whether a token is active or not. Other information necessary to establish user's identity during authentication, or token suitability (claims like sub, username, iss) are optional.

For these servers an OpenID Connect /userinfo endpoint could be used to gather the additional info during token validation.