pgwire: decouple jwt authentication and authorization logic

Previously, the logic for JWT authorization (extracting group claims
and synchronizing roles) was located within the `Authenticator`
behavior. This was a necessary design when the JWT token was only
exchanged from the `AuthConn` within the authenticator.

This was inadequate because it bundled authentication and
authorization logic, violating the separation of concerns intended by
the `AuthBehaviors` framework and creating an inconsistency with other
methods like `AuthLDAP`. A recent change (#149415) made the token
available via closure capture to all behaviors, removing the original
constraint and making this refactoring possible.

To address this, this patch decouples the logic. The `Authenticator`
is now solely responsible for validating the token
(authentication). The authorization logic has been moved to a new
`Authorizer` behavior, which aligns the implementation with the
framework's design and improves code clarity and maintainability.

Fixes: #150720

Release note: None

Author: shriramters

pkg/sql/pgwire/auth_methods.go

@@ -916,6 +916,10 @@ func authJwtToken(
 			return authError
 		}
 
+		return nil
+	})
+
+	b.SetAuthorizer(func(ctx context.Context, systemIdentity string, clientConnection bool) error {
 		// Ask the CCL verifier for groups (nil slice means feature disabled).
 		groups, err := jwtVerifier.ExtractGroups(ctx, execCfg.Settings, []byte(token))
 		if err != nil {
@@ -959,6 +963,7 @@ func authJwtToken(
 
 		return nil
 	})
+
 	return b, nil
 }