Handle expired password and add possiblity to change password

[xx4h]

If a user has an expired password the User-Portal Login only says Invalid login. FreeIPA actually does give us more information in the response of the API call. The header field X-IPA-Rejection-Reason: password-expired will be present if the login credential were correct, but the password is unfortunately expired (and thus can only be used to set a new password).

The base functionality for this first needs to be added to the goipa module, which i already created a PR for: ubccr/goipa#8

Additionally i already have a working patch for mokey, which i will cleanup now for a PR for mokey.

[aebruno]

@xx4h Thanks for the PRs! Just want to make sure I understand the functionality here, so this would be similar to when a user authenticates via ssh/sssd/pam and they are automatically prompted to change their password? So your PR here will allow mokey to have a similar flow for users that have authenticated successfully but have an expired password?

[xx4h]

Correct, like ssh/sssd/pam prompt you. But even more like the normal freeipa webinterface does, if you try to login with an expired password and it redirects you to a page where you can enter your current (expired) password, OTP-token (if needed) and your new password as well as a password confirmation.

[aebruno]

@xx4h All sounds great. Thanks again for contributing. I'll try and get this reviewed and merged shortly.

[aebruno]

Closed with PR #85