OIDC query parameters stay in URL after authentication

[bwaidelich]

After finalizing the OIDC authentication, the finishAuthorizationAction of the flownative/oauth2-client package is triggered which results in a final redirect that includes OIDC parameters flownative_oidc and flownative_oauth2_authorization_id_oidc that are picked up by the SetJwtCookieMiddleware in order to set a corresponding JWT cookie.

Afterwards the two query parameters reside in the requested URL (e.g. /some-path?flownative_oidc=eyJ...%3D%3D&flownative_oauth2_authorization_id_oidc=oidc-....). This is not beatiful (especially when URLs are bookmarked or shared) and it can even lead to errors if the URL is re-requested at a later point (e.g. via Browser Refresh).

[bwaidelich]

As discussed earlier today, instead of making those parameter configurable (i.e. extend the flownative/oauth2-client or override the finishAuthorizationAction) in order to trigger the Flow authentication directly before the final redirect, we decided to extend the SetJwtCookieMiddleware instead such that it removes the query parameters and triggers yet another redirect.