mod_http_oauth2: Remove another reference to obsolete function

mod_http_oauth2: Relax payload content type checking in revocation The code expected Content-Type: application/x-www-form-urlencoded HTTPie sent Content-Type: application/x-www-form-urlencoded; charset=utf-8 It did not work

mod_http_oauth2: Remove now unused code Was apparently only used in revocation which now uses get_request_credentials() directly

mod_http_oauth2: Allow revoking a token without OAuth client credentials If you have a valid token, and you're not supposed to have it, revoking it seems the most responsible thing to do with it, so it should be allowed, while if you are supposed to have it, you should also be allowed to revoke it.

mod_http_oauth2: Correctly verify OAuth client credentials on revocation Makes no sense to validate against username and password here, or using a token to revoke another token, or itself? In fact, upon further discussion, why do you need credentials to revoke a token? If you are not supposed to have the token, revoking it seems the most responsible thing to do with it, so it should be allowed, while if you are supposed to have it, you should be allowed to revoke it.

mod_http_oauth2: Group metadata section into OAuth and OpenID Could easily be confusing otherwise if you're reading one spec and see properties not defined there.

mod_http_oauth2: Rename oauth client credential related functions To make it more explicit what "secret" these deal with.

mod_sasl2: Pull user-agent info into sasl_handler for later reference It may be of interest to post-auth things. Putting it on the session was another option considered, but that seemed unnecessary overhead for something that might be rarely used. sasl_handler is cleared after successful authentication.

mod_adhoc_oauth2_client: Update to call into mod_http_oauth2

mod_http_oauth2: Refactor to allow reuse of OAuth client creation