Allow Authorization as CORS header and OAuth minor fixes

[abulte]

This PR:

• Allows to use implicit grant: it was not possible because we always had a secret set on an OAuth2Client, due to the way default works on a MongoEngine field. Implicit grant won't work if there's a secret set on the client. A Boolean field is_implicit is now available to bypass the secret logic. Actually, you can use client.secret = '' and it works fine 😬
• Switches the token expiration times config from the now-unused Flask-OAuthlib syntax to the new authlib one. Set expiration time to 10 days for implicit grant tokens, vs 1 hour for the lib default. Set expiration time to 30 days for other grants, as we used to specify with OAUTH2_PROVIDER_TOKEN_EXPIRES_IN.
• Adds the Authorization header as allowed PREFLIGHT_HEADERS, w/o this the implicit grant workflow is useless on a web app.

To be considered:

• Maybe deprecate implicit grant in favour of https://docs.authlib.org/en/latest/specs/rfc7636.html#specs-rfc7636 (cf https://oauth.net/2/grant-types/implicit/).
• OAUTH2_PROVIDER_ERROR_ENDPOINT and OAUTH2_REFRESH_TOKEN_GENERATOR are probably unused, but I'm not sure how to migrate those to authlib.