Switch implicit flow to hybrid flow and correct Management API scopes

[joshcanhelp]

Changes

This PR switches the Implicit login flow to use "hybrid" auth. The new flow uses response_mode=form_post to POST the id_token and state values directly to the callback URL, skipping the wp-login.php processing. The callback will still accept both token and id_token POST values to retain existing functionality. The ID token will contain a nonce which is stored in a cookie and validated when returned (see #536 for more discussion about this).

• Dequeue implicit-login.js from the wp-login.php page; removed the script entirely.
• Add private WP_Auth0_Lock10_Options::get_callback_protocol() to look for forced callback setting (this was being ignored in the implicit callback before)
• Change WP_Auth0_Lock10_Options::get_implicit_callback_url() to use main callback instead of wp-login.php
• Add response_mode=form_post to WP_Auth0_LoginManager::get_authorize_params() to preserve ULP functionality
• Add response_mode=form_post to WP_Auth0_Lock10_Options::get_lock_options()
• Fix API token scope check for user profile API actions

More info on hybrid flow

Hybrid flow is similar to the implicit grant flow except the the response from the authorization server is a POST to the application back-end instead of in an HTML fragment. This is done by passing response_mode=form_post when the Implicit Flow setting is turned on. Hybrid flow often uses response_type=code id_token but code can be omitted if an authorization code is not needed.

References

• OpenID description of form_post

Testing

• This change adds unit test coverage
• This change has been tested on the latest version of WP

Checklist

• All existing and new tests complete without errors
• All code quality tools/guidelines in the Contribution guide have been run/followed
• All relevant assets have been compiled as directed in the Contribution guide, if applicable
• All active GitHub CI checks have passed

[codecov-io]

Codecov Report

Merging #546 into master will increase coverage by 0.02%.
The diff coverage is 69.23%.

@@             Coverage Diff              @@
##             master     #546      +/-   ##
============================================
+ Coverage     15.72%   15.75%   +0.02%     
- Complexity     1538     1541       +3     
============================================
  Files            66       66              
  Lines          5316     5320       +4     
============================================
+ Hits            836      838       +2     
- Misses         4480     4482       +2

Impacted Files	Coverage Δ	Complexity Δ
lib/api/WP_Auth0_Api_Jobs_Verification.php	100% <ø> (ø)	7 <0> (ø)	⬇️
lib/api/WP_Auth0_Api_Change_Password.php	100% <100%> (ø)	10 <0> (ø)	⬇️
lib/api/WP_Auth0_Api_Delete_User_Mfa.php	100% <100%> (ø)	8 <0> (ø)	⬇️
lib/WP_Auth0_LoginManager.php	9.97% <50%> (+0.22%)	124 <0> (+2)	⬆️
lib/WP_Auth0_Lock10_Options.php	41.61% <80%> (+0.1%)	78 <2> (+1)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 12909d2...c677c97. Read the comment docs.

[cocojoe]

Why is this a hybrid flow? My understanding is hybrid flow is a combination of response_types not the response_mode. I do like this flow optimisation though in general in cutting down an additional step on the lib side.

[cocojoe]

LGTM