Implement RFC 8628

[nsklikas]

BREAKING CHANGES: This patch breaks up `OAuth2AuthorizeExplicitFactory` into
`OAuth2AuthorizeExplicitAuthFactory` and `Oauth2AuthorizeExplicitTokenFactory`

Related Design Document

Implements RFC 8628.

Checklist

• I have read the contributing guidelines and signed the CLA.
• I have referenced an issue containing the design document if my change introduces a new feature.
• I have read the security policy.
• I confirm that this pull request does not address a security vulnerability.
  If this pull request addresses a security vulnerability,
  I confirm that I got approval (please contact [email protected]) from the maintainers to push the changes.
• I have added tests that prove my fix is effective or that my feature works.
• I have added the necessary documentation within the code base (if appropriate).

Further comments

This PR is based on the work done on #701, by @supercairos and @BuzzBumbleBee. That PR was based on an older version of fosite and was missing some features/tests.

Comments:

• Due to some dependency issues we had to switch to go.uber.org/mock/gomock (github.com/golang/mock/gomock is deprecated)
• We had to do a small refactor of the AuthorizeExplicitGrantHandler to generalize it to reduce code duplication

[CLAassistant]

All committers have signed the CLA.

[nsklikas]

Looks like the conformity tests are failing because it tries to use this version of fosite on hydra master. But they pass on the hydra PR with this version of fosite. Changes are needed on the hydra config DefaultProvider object, how should we fix this?

[aeneasr]

Thank you very much for this massive PR! There's still thousands of lines to review, but here are some first remarks.

Primarily, some of the diffs are hard to read because they re-organize code into different files. Would it be possible to focus the changes on what's required to change and leave the refactoring out? We can always re-organize the code later, but given the sensitivity of the files touched (core token methods), it will be significantly easier to review those changes. Thank you!

[aeneasr]

Looks like the conformity tests are failing because it tries to use this version of fosite on hydra master. But they pass on the hydra PR with this version of fosite. Changes are needed on the hydra config DefaultProvider object, how should we fix this?

You should be able to change the target commit in the CI file to target your PR in hydra, which should make the tests pass

[zepatrik]

This looks great already, however due to the security implications I agree with @aeneasr that we should pull out some of the unrelated refactoring into separate PRs to reduce the size and complexity of this one, especially the migration from github.com/golang/mock/gomock to go.uber.org/mock/gomock and maybe also some other code style changes.
I did not yet fully review all parts, but these are some preliminary suggestions already.

[nsklikas]

Thank you for the reviews.

I reverted the refactor on the oauth2 handlers and tried to address all the comments. Also pinned the ci to use hydra from the PR branch and now the tests pass. Please have another go.

[eseliger]

Just wanted to leave a big thank you for the massive work you put into this @nsklikas!

[aeneasr]

Amazing work, there is one comment left around DeleteOpenIDSession, otherwise this is good to merge IMO

Next step is to get the hydra changes reviewed and then we can merge everything

[aeneasr]

code is not being validated here?

[aeneasr]

Actually, I think you forgot to validate the code here