starlette: Allow to provide access token in authorization header

Previously the OpenID Connect backend was only allowing to provide
a refresh token in authorization header for convenient access token
renewal when querying a GraphQL service outside of a browser.

When one wants to query a GraphQL service inside a browser, the
access tokens are usually created and renewed client-side so also
allow to provide an access token in the authorization header.
In that case, the backend will simply try to decode it in order
to authenticate the user.

Related to swh/devel/swh-graphql#4652