OAuth2: create an access token verification middleware

[porcellus]

• It should be very similar to the session verification middleware
  • Take a look at how that is solved for different frameworks
    • If it's a lot of work for each framework, please get the stuff reviewed before implementing them all
• It should make use of the validateOAuth2AccessToken function exposed by the OAuth2Provider recipe
• It should take all the options of validateOAuth2AccessToken
• It should set/save the token payload the same way as verifySession does.
• It should take an additional isRequired flag:
  • This will default to true (so it is optional)
  • Setting it to false will allow requests through even if there are no tokens present
  • I'll confirm this tomorrow, but when there is an invalid token present, we should reject the request even if isRequired is set to false
  • The name feels weird. See if you can figure out something better
• We also need to set the WWW-Authenticate header if it fails
  • OAuth2: create an access token verification middleware #903