Use bearer token for cloud channel auth

[cpkurotori]

What is the expected feature or enhancement?

On the Qiskit Runtime server side, when an API Key is provided in the Authorization header, the service goes to IAM to obtain a bearer token before making the authorization request.

This flow fails if the instance's account has Context Based Restrictions (CBR) enabled (example: IP allowlist).

The REST API does support Bearer token authentication (Authorization header with Bearer TOKEN) which should be able to bypass this.

Acceptance criteria

• [ ] an account with CBR enabled should be able to run a job successfully from a device that is allowlisted

Notes

This could probably be implemented a number of ways:

1. Provide optional setting to obtain bearer token using api key
2. Convert auth flow for cloud channel to only use the bearer token flow (bearer token can be cached).

In my opinion option 2 is better because bearer tokens are a better security approach (if a bearer token gets compromised it automatically expires) and we won't need to maintain 2 different code paths (apikey and bearer token)

Please note that staging should be supported as well (endpoint is iam.test.cloud.ibm.com)

Example code block:

import requests

apikey = "replace with apikey"
resp = requests.post("https://iam.cloud.ibm.com/identity/token", data={"grant_type": "urn:ibm:params:oauth:grant-type:apikey", "apikey": apikey})
print(resp.status_code)
print(resp.json())