fix(openid-connect): token introspection with client_secret_basic sends credentials in both header and body

[nic-6443]

Description

When introspection_endpoint_auth_method is client_secret_basic (the default), the token introspection request sends the client credentials twice: once in the Authorization: Basic header and once more as client_id/client_secret in the POST body. RFC 6749 Section 2.3.1 says the client must not use more than one authentication mechanism per request, so strict authorization servers reject the introspection call with invalid_client and every bearer-token request through the route fails with 401 — with the default plugin config.

The root cause is in lua-resty-openidc 1.8.0: introspect() unconditionally copies client_id/client_secret into the request body, and call_token_endpoint() then adds the Basic header for client_secret_basic without removing the body copies. There is an upstream issue (zmartzone/lua-resty-openidc#556), but it has been open for a while with no release containing a fix, so this patches it on the APISIX side without forking the library.

The fix extends the existing http_request_decorator hook usage in the plugin's introspection path: when the auth method is client_secret_basic, the decorator strips client_id/client_secret from the urlencoded request body before the request is sent. Scoping notes:

• The decorator is set right before openidc.introspect() and cleared right after it returns (existing behavior), so it only affects the introspection call, not the token-endpoint calls of the authorization code flow.
• Within openidc.introspect(), the decorator can also see a body-less discovery GET (when introspection_endpoint is not set explicitly), hence the req.body guard.
• client_secret_post, private_key_jwt and client_secret_jwt are untouched: stripping only happens for client_secret_basic, where the credentials are already carried by the Basic header.

The new test file t/plugin/openid-connect11.t uses a mock introspection endpoint that behaves like a strict authorization server (rejects requests carrying credentials in both the header and the body) and covers client_secret_basic (default and explicit, with and without introspection_addon_headers) as well as client_secret_post, which must keep sending body credentials.

Which issue(s) this PR fixes:

Fixes #13085

Checklist

• I have explained the need for this PR and the problem it solves
• I have explained the changes or the new features added to this PR
• I have added tests corresponding to this change
• I have updated the documentation to reflect this change
• I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)