OIDC argument validation

[Tratcher]

The OIDC middleware does not validate if you set the ClientId or authority. It tries to fetch the metadata anyways, fails silently, and then generates redirects without any base uris.

We also need a better error if you fail to set the ClientSecret, but do enable one of the Code flows. Right now you'll get a 400/401 trying to redeem the code.

[kevinchalet]

👍 for requiring ClientId but 👎 for throwing an error if ClientSecret is not set, since one might want to use client authentication assertions instead of the good old client_id/client_secret couple.

[BrennanConroy]

962a74c