Fix appending of user_code query parameter.

[karelmaxa]

This PR fixes handling of the user_code query parameter in gotoUrl during the OAuth2 authorization process. Old implementation does not check if the query parameter already exists. As a result, the DuplicateRequestParameterValidator throws a DuplicateRequestParameterException for URL with existing user_code query parameter.

[karelmaxa]

I'm not sure if my flow was correct. The user_code attribute should probably not be part of the OAuth2 authorize request. I will convert the PR to a draft and do more detailed analysis later.

[pavelhoral]

I'm not sure if my flow was correct. The user_code attribute should probably not be part of the OAuth2 authorize request. I will convert the PR to a draft and do more detailed analysis later.

You are probably right. It does not make sense to actually have user_code part of the /oauth2/authorize request. When the OAuth2 client can open user agent (e.g. in case of mobile app), it can surely handle custom redirect URI (app links / universal links). Device code flow with its user_code attribute is when the browser is being opened on a different device. The only case when the user_code can be used like this is for example when the whole authorization URL is being e-mailed... not sure if that is a valid use case.