Deprecate and remove "implicit" oauth flow

[nrfox]

Kiali currently supports both "implicit" and "authorization code" oauth flows. There are security benefits to using the authorization code flow vs. the implicit flow. In addition, moving to the auth code flow would allow Kiali to take advantage of the widely used go-oidc lib.

Pros:

• Improved security
• Less to maintain
• Less to test

Cons:

• Would break providers who only support the "implicit" flow. (I'm not sure these exist)
• May require additional configuration for existing open id users

[israel-hdez]

Perhaps, we should first deprecate it with a warning in the login form. And some time later, remove it.
Just to give people a chance to do proper configs, if any.

[nrfox]

Perhaps, we should first deprecate it with a warning in the login form. And some time later, remove it.
Just to give people a chance to do proper configs, if any.

That sounds like a good plan. We could even put the implicit flow behind a feature flag that is disabled by default after giving a warning on the login form. Either way, would be good to wait X versions before completely removing since some folks won't upgrade sequentially but jump to the latest version from their current version.

[jmazzitelli]

This might also break the molecule tests. So just a reminder that we should ensure we still have those molecule tests that ensure we at least test the basics of our auth (we have openshift, openid, token, and header login tests)

[jshaughn]

This should be deprecated as of v1.60, we need to update the release notes at this time. Then we should deprecate as soon as we've given folks enough time to respond to the deprecation.

[israel-hdez]

Oops. I'll re-open. I mistakenly wrote "Fixes" in a comment in one of the related PRs.
However, deprecation notes are in place, but removal is not yet done.