Add a configuration option for the OAuth Endpoint.AuthStyle

[masonelmore]

Is your feature request related to a problem? Please describe.
The default Endpoint.AuthStyle in golang.org/x/oauth2 can make it difficult to troubleshoot OAuth configurations. If the AuthStyle is not configured, oauth2 attempts to detect how the the client ID and client secret should be sent to the IDP. It does this by making a request with the credentials in a header. If that request fails for any reason, it tries again with the credentials in the URL parameters. The problem is, only the error from the second request is returned if both of them fail. In my case, the second failure was always because the auth code was already used. See "Additional context" for more details about my specific issue. See the Endpoint documentation, and how it is implemented in the RetrieveToken function.

Describe the solution you'd like
I would like an option to configure the Endpoint.AuthStyle in the OAuth Configuration. For example, a <select> element when overriding the default configuration.

Even better would be to default the auth style to what the IDP expects.

Describe alternatives you've considered
I have considered opening an issue in golang/oauth2 about making RetrieveToken return both errors.

Additional context
I don't know if this affects other IDPs, but I ran into this problem while troubleshooting an Azure App Registration. All I got from the Portainer debug logs was a message about the auth code already being used.

2023/05/18 03:42AM DBG github.com/portainer/portainer-ee/api/oauth/oauth.go:35 > failed retrieving OAuth token | error="oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error\":\"invalid_grant\",\"error_description\":\"AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.\\r\\nTrace ID: [redacted]\\r\\nCorrelation ID: [redacted]\\r\\nTimestamp: 2023-05-18 03:42:15Z\",\"error_codes\":[54005],\"timestamp\":\"2023-05-18 03:42:15Z\",\"trace_id\":\"[redacted]\",\"correlation_id\":\"[redacted]\"}"

This didn't make sense to me. The auth code should have only been used once. I ended up creating a simple web server to make it easy for me to step through the code a debugger. That's when I noticed the auth style auto-detection in the oauth2 package. I was able to get the error for the first request.

AADSTS50146: This application is required to be configured with an application-specific signing key. It is either not configured with one, or the key has expired or is not yet valid.

Then it made sense why I saw the other error in the Portainer debug logs.

AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token.

I was able to fix the App Registration with this new information.

[melsacramento]

Hi @masonelmore, I was wondering if you'd be able to share with us some more information about the setup that you have so that we can have an easier time trying to replicate the issue