Switch from using "text/template" to "html/template", which provides
basic XSS preventions. We haven't identified any particular place
where unsanitized user data is rendered to the frontend. This is
just a preventative step.

At the same time, make more templates take pure URL instead of
forming an URL themselves using an "authReqID" argument. This will
help us stop using the auth req ID in certain places, preventing
garbage collection from killing login flows that wait too long at
the login screen.

Also increase the login session window (time between initial
redirect and the user logging in) from 30 minutes to 24 hours,
and display a more helpful error message when the session expires.

How to test:

1. Spin up dex and example with examples/config-dev.yaml.
2. Login through both the password prompt and the direct redirect.
3. Edit examples/config-dev.yaml removing the "connectors" section.
4. Ensure you can still login with a password.

(email/password is "admin@example.com" and "password")

Documentation: add docs on patch release process.

Allow CORS on keys and token endpoints

server: add at_hash claim support

The "at_hash" claim, which provides hash verification for the
"access_token," is a required claim for implicit and hybrid flow
requests. Previously we did not include it (against spec). This
PR implements the "at_hash" logic and adds the claim to all
responses.

As a cleanup, it also moves some JOSE signing logic out of the
storage package and into the server package.

For details see:

https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDToken

Removed extra o typo

*: update refresh tokens instead of deleting and creating another

The server implements a strategy called "Refresh Token Rotation" to
ensure refresh tokens can only be claimed once.

ref: https://tools.ietf.org/html/rfc6819#section-5.2.2.3

Previously "refresh_token" values in token responses where just the
ID of the internal refresh object. To implement rotation, when a
client redeemed a refresh token, the object would be deleted, a new
one created, and the new ID returned as the new "refresh_token".

However, this means there was no consistent ID for refresh tokens
internally, making things like foreign keys very hard to implement.
This is problematic for revocation features like showing all the
refresh tokens a user or client has out.

This PR updates the "refresh_token" to be an encoded protobuf
message, which holds the internal ID and a nonce. When a refresh
token is used, the nonce is updated to prevent reuse, but the ID
remains the same. Additionally it adds the timestamp of each
token's last use.

server: fixes for the implicit and hybrid flow

Accept the following response_type for the implicit flow:

    id_token
    token id_token

And the following for hybrid flow

    code id_token
    code token
    code token id_token

This corrects the previous behavior of the implicit flow, which
only accepted "token" (now correctly rejected).

Add an experimental SAML connector

storage: Add ConnectorData to storage RefreshToken.

Allow CORS on discovery endpoint

Bump go-oidc package

connector/ldap: enable groupSearch to be empty

*: add 'make revendor' and tests to catch incorrect glide usage

Introducing glide-vc caused us to unknowingly removed our Go
protobuf compiler (since it's a main). Add flags to glide-vc usage
to remedy this.

Since we now require several glide and glide-vc flags, add a Makfile
target and tests to catch when PRs don't use the correct flags.

build fails

replace bcrypt hash with a working one

replace bcrypt hash with an appropriate value for the string "password"

server: use UTC timestamps in dex.