We no longer expect nor accept tokens with old acr values during
validation as ID-porten no longer issues tokens with these values.
This also removes backward compatibility in cases where configured
values targeted the new ID-porten while using old ID-porten.
We still maintain an internal mapping from old values to new values
for forward compatibilty when using old values provided in the login
parameter and the `openid.acr-values` flag.
Replace hardcoded callback URLs with dynamic generation
of URLs based on incoming requests. These are validated against
a pre-registered list of ingresses for which Wonderwall is considered
authorative for.
We also preserve the cookie behaviour; the most specific ingress path
and domain is used for the cookies.
The `url` package has been moved to the `handler` package, and its
implementation refactored slightly for readability and DRY.
Access Tokens are not necessarily JWTs. We also don't
have to validate them as we only pass it on as an opaque
string.
This also means that we don't log the JTI access tokens
anymore.
We also simplify handling of oidc callbacks.
There's a bunch of changes here, but in essence:
- split out openid configuration
- separate openid configuration between client/rp and provider
- consolidate client and provider related code in separate packages
These changes allow for simplification of the Handler, as well as a
bunch of test/mock code as the configuration is now instantiated
seperately from the client/provider code.
