Provide a way for services (e.g. entities that cannot provide OIDC headers) to participate in authn/authz.

From offline discussions it sounds like we might be able to generate a JWT token that we store in a db for the
service to use, but will defer to @danielhochman.