Re-design oxd Connect part to work inside user-agent instead of as backchannel app.

[yuriyz]

Historically oxd was created to work as back-channel app via sockets. Later we introduced oxd-https-extension which later merged into oxd making http as main transport and removed sockets. oxd commands were designed as back-channel calls at that time. Now when oxd can work inside user-agent it should take advantage of it.

Remove current (in 5.x, in 4.3 mark as deprecated):

• /get-authorization-url
• /get-tokens-by-code
• /get-logout-uri

Instead we should have

• /authorize which should redirect to AS Authorization Endpoint and on redirect back depending on type of the flow fetch token (or skip if it's Implicit Flow) and then validate it.
• /end-session

In this way oxd will have full control of the process and we will not have questions like how oxd should match UserInfo sub with id_token sub? (see #441 (comment)).

cc @nynymike

[yuriyz]

@nynymike I propose to make it in 4.3. Since it's not major release we can leave /get-authorization-url and /get-tokens-by-code commands for backwards compatibility and completely remove in 5.x release.

[duttarnab]

@yuriyz , what I understand from /authorize is:

redirect to AS Authorization Endpoint --> user will enter username/password on login screen --> It will redirect back with code, id_token, access_token (depending on the flow) and validate --> call token endpoint (if required) and validate the token.

I am confused if we need directly need to redirect to AS Authorization Endpoint and submit username/password from the screen or we need do it using below java code passing userId and other parameters.

private AuthorizationResponse requestAuthorization(final String userId, final String userSecret, final String redirectUri,
                                                       List<ResponseType> responseTypes, List<String> scopes, String clientId, String nonce) {
        String state = UUID.randomUUID().toString();

        AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
        authorizationRequest.setState(state);

        AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(
                authorizationEndpoint, authorizationRequest, userId, userSecret);

           return authorizationResponse;
    }

[yuriyz]

When òxd /authorize endpoint is hit, we should construct authorization url and redirect it directly (perform HTTP redirect). User enters creds on AS side (its not part of oxd). After authn/authz is performed response has to be redirected to oxd (redirect_url should point to oxd) and oxd has to perform all validations.

[yuriyz]

Goal is to perform front channel calls, not backchannel as we do it now.