⚠️ Note to Reviewers:

Of the ~11.7k lines changed in this PR, approximately ~10k lines are auto-generated protobuf and gRPC classes.
Specifically, the files Login.java, Authentication.java, and LoginServiceGrpc.java account for the vast majority of the diff.

The actual hand-written logic is small and contained within the core auth implementation and connection classes.

This PR introduces native authentication support for Spanner Omni endpoints using the OPAQUE password-authenticated key exchange protocol.

Key Changes:

• Omni Login Protocol: Added generated protobufs (Login.java, Authentication.java, LoginServiceGrpc.java) and a gRPC LoginClient to handle the authentication handshake with Omni endpoints.
• LoginClient & OPAQUE Protocol: Implements the LoginClient utilizing OpaqueUtil to perform the secure two-step OPAQUE authentication flow over gRPC.
• SpannerOmniCredentials: A new credentials provider that manages Omni authentication tokens, incorporating automatic background token refresh mechanisms.
• Security Considerations: Securely handles raw passwords using char arrays, ensuring sensitive credentials are zeroed out of memory buffers immediately after processing.
• Client Integration: Updated ConnectionOptions and SpannerOptions.Builder with a new login(username, password) method to wire up Omni credentials. The channel initialization logic was moved to prepareBuilder() to ensure the builder pattern remains order-independent.

To run Integration Tests with auth login run below command with default username/password

mvn clean -pl java-spanner/google-cloud-spanner -B verify \
  -DskipUnitTests=true \
  -DskipITs=false \
  -Dspanner.omni.host=https://localhost:15000 \
  -Dspanner.testenv.instance=projects/default/instances/default \
  -Denforcer.skip=true \
  -Dspanner.username=admin \
  -Dspanner.password=admin

Design Document: Spanner Omni Auth Login