Add support for native applications

[tbroyer]

Based on https://tools.ietf.org/html/draft-ietf-oauth-native-apps-00:

• [ ] Create a new kind of apps for native apps:
  • native apps cannot be “provisioned”, they're necessarily “singleton” apps
  • native apps don't have “services”; if they technically need one, it MUST have visibility:"hidden"; they cannot register new services (or delete the only existing one)
  • native apps don't appear in the catalog (as a result of the above). Maybe we could store links to app stores and have a dedicated section in the Portal; that'd work at least for mobile apps, not for desktop ones (though that should hopefully be rare).
• [ ] Support public clients (for native apps only); or maybe not, but then knowing it's a native app we should treat it like a public client, even if it has a client_secret. That would be technically easier I guess. Need to investigate what “treat as a public client” actually implies.
• [ ] Support PKCE, and require its use for native apps (even for app-claimed HTTPS?)
  • [x] Support PKCE
  • [ ] Require use of PKCE for native apps
• [ ] Support custom URI schemes in redirect_uris (for native apps only); we should enforce uniqueness of the custom URI scheme across all services, and somehow enforce the use of package/bundle names as the custom scheme or at a minimum use of a reverse-domain string (contains at least one dot, and when reversed parses as a domain name and ends with a public suffix, without being a public suffix itself), or maybe change our client_ids to be domain names (and then enforce that the custom scheme is the reversed client_id).
• [ ] Support http://localhost (any port) for redirect_uris (for native apps only); actual port in the authorization request should not be compared with the pre-registered redirect_uri.
• [ ] Not directly related actually, but we should try to detect web-views and block login (asking the user to open the page in their standalone browser). See https://mobiforge.com/research-analysis/webviews-and-user-agent-strings and https://www.npmjs.com/package/is-webview
  • [x] Detect web-views
  • [ ] Block login in web-views
• [ ] Also not directly related, but we should set a cookie (or use localStorage) to be able to tell the user when they last signed in on that device (and possibly as which user; we shouldn't use the email address though, only the public name, possibly the profile pic too)

[tbroyer]

PKCE implemented in 6694638f97c3d94b5b37e052ce8eff225e4b6a2a

[tbroyer]

WebView detection added in 0131269611790eeae5dcbaecded7077d0056a298 (no blocking yet though)

[tbroyer]

FWIW, iOS SDK available at https://openid.github.io/AppAuth-iOS/ and Android SDK at https://openid.github.io/AppAuth-Android/