api: adding a gRPC call for listing refresh tokens.

storage: Add OfflineSession object to backend storage.

server: clean up test comments and code flow

Documentation: warn admins not to edit dex ThirdPartyResources manually

Fixes #706

{web,server}: use html/template and reduce use of auth request ID

Switch from using "text/template" to "html/template", which provides
basic XSS preventions. We haven't identified any particular place
where unsanitized user data is rendered to the frontend. This is
just a preventative step.

At the same time, make more templates take pure URL instead of
forming an URL themselves using an "authReqID" argument. This will
help us stop using the auth req ID in certain places, preventing
garbage collection from killing login flows that wait too long at
the login screen.

Also increase the login session window (time between initial
redirect and the user logging in) from 30 minutes to 24 hours,
and display a more helpful error message when the session expires.

How to test:

1. Spin up dex and example with examples/config-dev.yaml.
2. Login through both the password prompt and the direct redirect.
3. Edit examples/config-dev.yaml removing the "connectors" section.
4. Ensure you can still login with a password.

(email/password is "admin@example.com" and "password")

Documentation: Minor changes to SAML connector doc.

Improve SAML Signature and Response Validation

connector: add GitLab connecor

server: support POSTing to authorization endpoint

Fixes #791

Documentation/proposals: Add a proposal for refresh token revocation.

* Improve Order of Namespace Declarations and Attributes in Canonical XML. This is related to an issue in goxmldsig for which I created an [pull request](https://github.com/russellhaering/goxmldsig/pull/17).
* Do not compress the AuthnRequest if `HTTP-POST` binding is used.
* SAML Response is valid if the Message and/or the Assertion is signed.
* Add `AssertionConsumerServiceURL` to `AuthnRequest`
* Validate Status on the Response
* Validate Conditions on the Assertion
* Validation SubjectConfirmation on the Subject

cmd/dex: make connector name field mandatory in dex configuration.

Docs: Added a name to the LDAP connector

Update kubernetes.md - correct typo

Without a name, the example app's login form will only show `Log in with` as a button label.

Documentation: add docs on patch release process.

Allow CORS on keys and token endpoints

server: add at_hash claim support

The "at_hash" claim, which provides hash verification for the
"access_token," is a required claim for implicit and hybrid flow
requests. Previously we did not include it (against spec). This
PR implements the "at_hash" logic and adds the claim to all
responses.

As a cleanup, it also moves some JOSE signing logic out of the
storage package and into the server package.

For details see:

https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDToken

Removed extra o typo

*: update refresh tokens instead of deleting and creating another