feat: support response_mode=form_post

[eugenioenko]

Summary

Add support for response_mode=form_post as defined in OAuth 2.0 Form Post Response Mode. Currently only response_mode=query (default) is supported.

Current Behavior

• response_mode=query works (authorization code returned as a query parameter in the redirect URI)
• response_mode=form_post is not supported — requests using it are ignored or rejected
• The well-known discovery document does not advertise response_modes_supported

Proposed Changes

1. When response_mode=form_post is requested, the authorization endpoint should return an auto-submitting HTML form that POSTs the authorization response (code, state) to the redirect URI instead of redirecting with query parameters
2. Advertise response_modes_supported: ["query", "form_post"] in the discovery document
3. Validate that response_mode is one of the supported values

The HTML response is a simple self-submitting form:

<html><body onload="document.forms[0].submit()">
<form method="post" action="{{redirect_uri}}">
  <input type="hidden" name="code" value="{{code}}"/>
  <input type="hidden" name="state" value="{{state}}"/>
</form>
</body></html>

Why

• Practical need — some server-side web frameworks and SPAs prefer form_post to avoid leaking the authorization code in browser history and referrer headers
• OIDC conformance — some conformance test plans test form_post support
• Low complexity — one additional code path in the authorize handler, a small HTML template, no new infrastructure

References

• OAuth 2.0 Form Post Response Mode