Description of bug:
After logging in as a local user successfully, the user will stay on the
openstax accounts site instead of getting redirected back to the
application they came from.
We use session[:return_to] to store where the user came from (See
config/initializers/doorkeeper.rb). This is set before the user gets to
the sign in form. Between the user submitting the sign in form and
SessionsController#authenticated, the session was cleared. So we were
not able to redirect the user back to the application.
The reason the session was cleared was because the openstax accounts
site has CSRF protection enabled for POST requests. The sign in form
did not have a CSRF token so session was wiped.