improve authentication/authorization flow

[therealchjones]

• Google "Best Practices": https://developers.google.com/identity/protocols/oauth2/resources/best-practices
• Google OAuth 2.0 authorization: https://developers.google.com/identity/protocols/oauth2/
• Google OpenID Connect authentication: https://developers.google.com/identity/openid-connect/openid-connect
• Google OAuth 2.0 for web server applications: https://developers.google.com/identity/protocols/oauth2/web-server
• mod_auth_openidc caching: https://github.com/OpenIDC/mod_auth_openidc/wiki/Caching
• mod_auth_openidc cookies: https://github.com/OpenIDC/mod_auth_openidc/wiki/Cookies
• mod_auth_openidc config: https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf

Desired flow:

• 1st use: visit page, get login prompt, login & consent screens, obtain ID, refresh, & access tokens
• Next use (even if web server or browser has restarted): visit page, confirm/obtain new ID and access/refresh tokens without user interaction
• Occasionally (no more often than 1 time per month): visit page, re-login without consent prompt, obtain/confirm new ID/access/refresh tokens

Current flow:

• if web server restarts, as though user has never logged in or consented (may be mitigated with disk-based or client side caching?)
• if user mod_auth_openidc session expires (e.g., if web server restarts), as though user has never logged in or consented
• user login without consent prompt (i.e., without "prompt" parameter after initial login or without "prompt=consent"), no new/updated refresh token
• browser restart alone does not end mod_auth_openidc session

Other improvements:

• secretify secrets in apache conf

[therealchjones]

• [x] sessions persist beyond server restart
• [ ] after the first, user login does not require consent prompt
• [x] sessions persist beyond browser restart
• [x] secrets not seen in apache conf

The marked items have been completed with Apache/mod_auth_openidc configuration. The remaining one has been posted as a question at https://github.com/OpenIDC/mod_auth_openidc/discussions/1153 and may require more backend work (if possible at all).

[therealchjones]

Currently does not require consent screen after the first, with the tradeoff that access tokens/userinfo are not renewed/reauthenticated within the 2 week mod_auth_openidc session. Have not yet found a workaround for that; again, see https://github.com/OpenIDC/mod_auth_openidc/discussions/1153