Closes: #47317.

This PR provides an initial support for [RFC9728](https://datatracker.ietf.org/doc/rfc9728/).

[RFC9728](https://datatracker.ietf.org/doc/rfc9728/) metadata document may include a lot of properties but this PR starts with returning an `authorization_servers` property only, to support the [MCP authorization requirement](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#overview) and specifically, the [requirement to support authorization_servers ](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#authorization-server-location), to allow MCP clients bootstrap themselves with discovering how they can login users into MCP servers.

Going forward, more metadata may be included, given the specific requirements.

Right now, returning the resource metadata is disabled by default since this information can be considered sensitive. For example, `www.someservice.com` may not want to advertise on the web which authorization providers or endpoints and other related metadata are supporting the user's logins... For example, with Keycloak or other production quality providers, by registering custom login pages, it can be hard to figure out what the actual provider is used to login users and therefore, it should be a deployment level decision whether to expose the protected resource metadata or not.
That might need to be relaxed though in some cases, may be in devmode.

`quarkus.oidc.resource-metadata.resource` property is optional.
If it is not configured then the handler path is calculated as follows: if it is a default tenant then it is just `/.well-known/oauth-protected-resource`, otherwise `/.well-known/oauth-protected-resource/${tenant-id}`.
If it is configured, then if it is an absolute URL then it is either `/.well-known/oauth-protected-resource`, or `/.well-known/oauth-protected-resource/${url-path-component}`. If it is a relative URL, then it is `/.well-known/oauth-protected-resource`, otherwise `/.well-known/oauth-protected-resource/relative-url`.

I've added a few tests for static and dynamic tenants, and also confirmed with NGrok that configuring an absolute HTTPS based resource URL also works.

Right now I'm finalizing the spec option where the `WWW_Authenticate Bearer resource_metadata=...` is returned if no token is available when accessing the protected resource, which is also required by the MCP authorization; PR will be ready for review once it is done