Make sure to never request login from Heroku properties that don't require it

[brandur]

Some Heroku properties like Dev Center will attempt to detect a logged in session via the presence of the Heroku nonce token in a user's cookie. When detected, they'll fetch an access token from Identity, usually so that they can do something fairly simple like put the user's e-mail in the property's header.

The problem here is that a Heroku nonce doesn't guarantee a valid session because when a session is invalidated or expires, there is no way for us to remove a none from the browsers of our users. This results in Dev Center attempting to obtain an access token and Identity undesirably asking that they log in when it realizes that they don't have a session. No one should ever have to log in to read some docs.

Build a system that can identity OAuth clients that like logged in users, but don't require them. When a case like the above is detected, instead of requesting login Identity should simply invalidate the Heroku nonce and pass the user back to Dev Center. This system might look like an additional flag on registered_clients.

[mikehale]

Huge 👍 to not having to login to read docs.

[raulb]

+1000