Add keycloak auth

[robinskil]

This pull request introduces optional Keycloak Bearer-JWT authentication for both HTTP (Axum) and Flight SQL transports, allowing for more robust and configurable authentication and authorization. The changes are backward-compatible: if Keycloak is not enabled in the configuration, the system continues to use legacy Basic authentication and anonymous access as before. When enabled, Keycloak authentication enforces role-based access control for both admin and query endpoints.

Keycloak Authentication Integration:

• Added a new keycloak module (beacon-api/src/auth/keycloak.rs) that provides shared Keycloak JWT validation logic, builds admin and query layers based on configuration, and exposes claims for downstream authorization decisions.
• Updated the main router setup (beacon-api/src/axum/router.rs) to build Keycloak layers at startup and pass them to the admin and client routers, enabling or disabling JWT validation as configured.
• Modified the admin and client routers (beacon-api/src/axum/admin/mod.rs, beacon-api/src/axum/client/mod.rs) to accept optional Keycloak layers, applying them as middleware if present, or falling back to Basic/anonymous auth.

Flight SQL Authentication Enhancements:

• Extended the Flight SQL authenticator (beacon-api/src/flight_sql/auth.rs) to support Keycloak JWT validation, including role-based admin/DDL privilege checks and correct handling of anonymous access based on configuration.

• Updated the Flight SQL service construction and tests to pass in Keycloak layers, ensuring consistent authentication logic across transports.
  Dependency and Configuration Updates:

• Added new dependencies for Keycloak and JWT validation (axum-keycloak-auth, url) and updated serde_json version.

• Extended the main configuration struct to include Keycloak settings.

These changes provide a flexible, secure foundation for authentication and authorization, supporting both modern (Keycloak/JWT) and legacy (Basic/anonymous) modes as needed.