mod_http_oauth2: Close site header tags

mod_http_oauth2: Fix contrast of links on consent page The default dark blue wasn't very visible on a dark background

mod_http_oauth2: token endpoint: handle missing credentials

mod_http_oauth2: Fail early when no authorization header present Fixes traceback.

mod_http_oauth2: Support HTTP Basic auth on token endpoint This is described in RFC 6749 section 2.3.1 and draft-ietf-oauth-v2-1-07 2.3.1 as the recommended way to transmit the client's credentials. The older spec even calls it the "client password", but the new spec clarifies that this is just another term for the client secret.

mod_http_oauth2: Separate extracting credentials from requests and verifying The token endpoint also uses Basic auth, but the password would be the client_secret, so we need to verify against that instead of using test_password(). Splitting this up here avoids code duplication. Possibly this new function could go into util.http...

mod_http_oauth2: Reflect ALL attributes of the client registration Per RFC 7591: " Additionally, the authorization server MUST return all registered metadata about this client, including any fields provisioned by the authorization server itself. " The idea is that the server may replace/drop fields in the registration, so what gets reflected back to the client is the source of truth about the registration.

mod_rest: Point URLs to mod_http_oauth2 in demo mode

mod_http_oauth2: Improve handling of redirect_uri matching and fallback Per OAuth 2.1, the client MUST provide a redirect_uri explicitly if it registered multiple. If it only registered a single URI, it may be omitted from the authorize request.

mod_http_oauth2: Correct field name for HTTP response status code 'code' is used in the incoming side of the Prosody HTTP stack while 'status_code' is used on the response side. Not confusing at all. The default is 200 so this mistake had no real effect.