fix: accept the full discovered oidc configuration

[Lapin0t]

Hi @tale, thanks for headplane!

On lastest main I got an oauth2 redirect loop. My oauth2 provider is kanidm and by debugging using something very similar to #384 I found out it is because by default kanidm only supports ES256 JWS signature alg, which headplane refuses. The actual exception was:

OperationProcessingError: unexpected JWT "alg" header parameter
    at OPE (file:///opt/headplane/build/server/assets/index-BgoO6cJe.js:6476:9)
    at checkSigningAlgorithm (file:///opt/headplane/build/server/assets/index-BgoO6cJe.js:7119:159)
    at validateJwt (file:///opt/headplane/build/server/assets/index-BgoO6cJe.js:7049:2)
    at processGenericAccessTokenResponse (file:///opt/headplane/build/server/assets/index-BgoO6cJe.js:6873:33)
    at process.processTicksAndRejections (node:internal/process/task_queues:103:5)
    at async processAuthorizationCodeOpenIDResponse (file:///opt/headplane/build/server/assets/index-BgoO6cJe.js:6983:17)
    at async authorizationCodeGrant (file:///opt/headplane/build/server/assets/index-BgoO6cJe.js:8875:12)
    at async loader$14 (file:///opt/headplane/build/server/assets/node-yAUGHSmu.js:37385:18)
    at async callRouteHandler (file:///opt/headplane/build/server/assets/index-BgoO6cJe.js:5670:15)
    at async commonRoute.loader (file:///opt/headplane/build/server/assets/index-BgoO6cJe.js:5769:12) {
  code: 'OAUTH_INVALID_RESPONSE',
  [cause]: [Object]
}

It is easy to fix this on the kanidm side as they have a switch to enable legacy crypto which will emit RS256 signatures which are accepted.

However it is also easy to fix on the headplane side, as openid-client fully supports ES256. The bug actually comes from the fact that headplane throws out all the optional items of the auto-discovered server config, and that the default config only accepts RS256 (as can be seen in processGenericAccessTokenResponse).

For now I did the most lightweight fix possible, but maybe we should rework a bit the logic in discoveryCoalesce? It looks a bit too complicated for what it does.. I'd guess most oauth2 provider actualy have a working auto-discovery, perhaps we could remove all of the manual config (authorization_endpoint, token_endpoint, userinfo_endpoint as well as use_pkce).

[tale]

I can't justify removing the manual configuration, it'll cause non-standard issuers like Sign in with GitHub to break. This fix appears to work so I'll merge this in though, thank you!

[9SMTM6]

@tale is this in v0.6.2-beta.4? I didnt see it in the changelog, but my issue from #340 is solved with that release (so I dont have to switch to legacy crypto in kanidm to make OIDC work).

Perhaps it was fixed by something else. But this was also merged before the release.