auth.OAuthHandler should take http Request and Response #600
Description
Currently the definition of auth.OAuthHandler is
type OAuthHandler func(context.Context, OAuthHandlerArgs) (oauth2.TokenSource, error)
where OAuthHandlerArgs contains the resource metadata URL extracted from the WWW-Authenticate header of the HTTP response.
There is an impedance mismatch between this value and the protected resource metadata functions of the oauthex package, as illustrated by this PR, which must perform additional processing on the resource metadata URL to obtain the actual resource metadata.
Furthermore, the resource meditated URL by itself is not sufficient to validate the protected resource metadata returned by the server. That requires the request URL.
A better definition would be:
type OAuthHandler func(req *http.Request, res *http.Response) (oauth2.TokenSource, error)
Although more work is required by the handler author, we already provide the function to do it. The handler implementation should call oauthex.GetProtectedResourceMetadataFromHeader, which does all the necessary work and validation. The caller need only extract the URL from the request and the header from the response.