feat: Add Authorization header fallback for OAuth TokenHandler

- Implement fallback to extract client credentials from Authorization header
- Support Basic authentication when client_id is missing from form data
- Handle URL-encoded client secrets properly
- Add comprehensive test coverage for the new functionality
- Follows OAuth 2.0 RFC 6749 specifications for client authentication

Fixes #1315

Author: ChenyangLi4288