Support authentication using multiple bearer tokens

[achamayou]

Some applications may want to authorize user input using multiple bearer tokens, for example an identity and an MAA token.

While there is no standard way to do that, we could support a slightly extended Bearer authentication method for the Authorization header, such that a user can pass:

Authorize: Bearers b64JWT b64JWT ...

A custom authentication policy perhaps named jwts_auth or multiple_jwt_auth would apply the logic in jwt_auth over each token individually, and succeed if all of them pass. A new identity object would expose resolved claims in a collection, for the application to consume.