draft: Replace passport-openidconnect with openid-clien

[leeomara]

This is a work in progress which should not be merged yet.

This is some experimentation to investigate the use of OpenID client instead of passport-openidconnect. This relates to #3.

Checklist

• Authorize redirects to IDP
• Code authorization flow
• Authorization code to token
• User info endpoint
• Sane structure to code

Overall status

This is somewhat working, though the code is a mess as I don't know TS, nor Node, Express, Passport or modern JS development practices. You've been warned!

Current roadblock

The headers for hitting userinfo endpoint are using lower case. It looks like Hydra/C1 wants "Authorization: Bearer ...". C1 needs a capital "B" for "Bearer" there

I'm unable to untangle the specs on this.
https://tools.ietf.org/html/rfc7230#section-3.2

This suggests that it should be case-sensitive, but isn't 100% clear.
https://tools.ietf.org/html/rfc6750

Many other OpenID Connect/OAuth2 clients and servers have this issue:

• token_type received from /token endpoint is case sensitive panva/openid-client#248
• authorization header in /oauth2/token endpoint is case sensitive ory/hydra#575
• Token type, Authorization header and case sensitivity golang/oauth2#113
• "bearer" is case sensitive lexik/LexikJWTAuthenticationBundle#411

Okay, so the token endpoint returns a "token_type" of "bearer", but then requires the userinfo endpoint to use "Bearer"

Some options

1. Change the token response to send token_type "Bearer" (upper case B).
2. Change the userinfo authorization to allow Athorization "bearer" (lower case b).
3. Have the client send "Authorization: Bearer" (upper case B)

Vivvo uses https://github.com/vivvo/hydra