Implement the hybrid flow, unify code and authorization flows

[Tratcher]

We don't really implement the hybrid flow, we just do the implicit flow and then fire AuthorizationCodeReceived at the end and let you do it yourself. Using AuthorizationCodeReceived here is confusing as it fires in a different order than it would in the code flow, and means something different. It looks like we should just implement the hybrid flow, and do so before doing all of the token validations.

I think we could unify HandleCodeOnlyFlow and HandleIdTokenFlows by doing things in the following order:

1. check for a code, redeem it.
2. validate the authorization and token responses.
3. get claims from the user endpoint.

[Eilon]

After discussion it sounds like this is important to support.

[brentschmaltz]

@Tratcher @Eilon I agree the branching logic could be improved.
I think about the order slightly different since we should fault before firing the code received notification on a bad id_token.

1. If a token is received, validate
2. If a code is received, redeem code for accessToken validate,
3. if redeem flag is on, hit UserInfoEndpoint, validate
4. merge claims into claimsIdentity.

It is not clear where we fire the SecurityTokenValidated notification.

The main purpose of the 'authentication code received' notification in Katana was that we didn't redeem the code. Given that this is the OIDC handler, we could assume the code is for "user_info_endpoint' and NOT fire the event, but that may cut out some scenarios.

[muratg]

Moving this to Backlog as we will be in RC2 ask mode very soon. If you feel strongly about this issue, please ping me.

[brockallen]

Yes, this is important.

[leastprivilege]

yes - absolutely!