impl(common): token exchange for external accounts

[coryan]

To support external accounts we need to convert the "subject token" returned by the external account source (e.g. an Azure metadata service or a GitHub Actions OIDC source) into "access tokens" returned by GCP's "Security Token Service". In this change we introduce the code to perform such exchanges, including a small integration test on GitHub actions.

Part of the work for #5915

---

This change is 

[google-cloud-cpp-bot]

Google Cloud Build Logs
For commit: c252da70a3f89a3722f091984b29a2974e58520f

• Public Access Build Logs
• Cloud Build Console (requires auth)
• Kokoro Logs (requires auth)

ℹ️ NOTE: Kokoro logs are linked from "Details" below.

[codecov]

Codecov Report

Base: 93.85% // Head: 93.86% // Increases project coverage by +0.00% 🎉

Coverage data is based on head (96bfdce) compared to base (a5ad82f).
Patch coverage: 96.75% of modified lines in pull request are covered.

Additional details and impacted files

@@           Coverage Diff            @@
##             main   #10328    +/-   ##
========================================
  Coverage   93.85%   93.86%            
========================================
  Files        1597     1600     +3     
  Lines      145363   145763   +400     
========================================
+ Hits       136437   136823   +386     
- Misses       8926     8940    +14     

Impacted Files	Coverage Δ
...ud/internal/oauth2_external_account_credentials.cc	94.73% <94.73%> (ø)
...ternal/oauth2_external_account_credentials_test.cc	97.07% <97.07%> (ø)
...oud/internal/oauth2_external_account_credentials.h	100.00% <100.00%> (ø)
google/cloud/internal/async_connection_ready.cc	89.36% <0.00%> (-4.26%)	⬇️
...e/cloud/pubsublite/internal/alarm_registry_impl.cc	97.05% <0.00%> (-2.95%)	⬇️
google/cloud/pubsub/subscriber_connection_test.cc	98.78% <0.00%> (-1.22%)	⬇️
...integration_tests/schema_admin_integration_test.cc	98.88% <0.00%> (-1.12%)	⬇️
...le/cloud/internal/default_completion_queue_impl.cc	96.59% <0.00%> (-0.57%)	⬇️
google/cloud/completion_queue_test.cc	97.32% <0.00%> (+0.19%)	⬆️
...cloud/pubsub/internal/subscription_session_test.cc	98.33% <0.00%> (+0.33%)	⬆️
... and 1 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[google-cloud-cpp-bot]

Google Cloud Build Logs
For commit: 002e5879568b8a35eb8dcf99788db0f04b1550f7

• Public Access Build Logs
• Cloud Build Console (requires auth)
• Kokoro Logs (requires auth)

ℹ️ NOTE: Kokoro logs are linked from "Details" below.

[coryan]

Rebased to resolve conflicts, PTAL.

[dbolduc]

optional: I call this thing a sor... but I thought you didn't like that...

[devbww]

The conventional approach would be to just call this response. That might complicate and/or simplify the code below where we introduce response to hold the (moved) OK response.

[coryan]

Fixed.

[dbolduc]

FYI: I am not the best reviewer of this chunk of code. Maybe @scotthart can give it the once-over?

[coryan]

Ack. There is a lot of similar code elsewhere

[google-cloud-cpp-bot]

Google Cloud Build Logs
For commit: 96bfdce3854cdd221bcdcb58e3085bcb003399ff

• Public Access Build Logs
• Cloud Build Console (requires auth)
• Kokoro Logs (requires auth)

ℹ️ NOTE: Kokoro logs are linked from "Details" below.

[dbolduc]

FYI: I applied the do not merge label, although I know you know better than to merge while the release is in progress