The OAuth specification is very specific that there are some cases in the authorization grant flow that errors should be presented to the resource owner, and sometimes should be redirected to the client. As such, the ParamParser isn't really suitable for this flow - because there are two phases of parsing. As such, I've ripped authorizationRequest apart and moved most of the parsing into there. requestToken is yet to be implemented, and currently commented out.
This roughs out sections 2.2 and 2.3 of RFC 6750
This gives us the correct behavior if an authorization code is used multiple times, and automatically expires tokens.
By using `EitherT (Handler b v ()) m a`, we can easily chain a series of actions together, and be optimistic that they will succeed. This lets us move the failing cases out of the main function body for clarity, and remove the running indentation. Also changes all backend stuff to run in IO, not MonadIO, for symmetry with the IAuthBackend stuff in Snap.
This better reflects what is happening, and I've also documented that a client must try to ensure that the grant is locked.