introspection: Improves debug messages (ory#254)

handler: Adds PKCE implementation for none and S256 (ory#246)

This patch adds support for PKCE (https://tools.ietf.org/html/rfc7636) which is used by native apps (mobile) and prevents eavesdropping attacks against authorization codes.

PKCE is enabled by default but not enforced. Challenge method plain is disabled by default. Both settings can be changed using `compose.Config.EnforcePKCE` and `compose.config.EnablePKCEPlainChallengeMethod`.

Closes ory#213

introspection: Adds missing http header to response writer (ory#247)

The introspection response writer was missing `application/json`
in header `Content-Type`. This patch fixes that.

Closes ory#209

introspection: Decodes of Basic Authorization username/password (ory#245

)

Signed-off-by: Dmitry Dolbik <dolbik@gmail.com>

compose: Makes SendDebugMessages first class citizen (ory#243)

Adds ability to forward hints and debug messages to clients (ory#242)

handler/oauth2: Adds offline_access alias for refresh flow

Returns the correct error on duplicate auth code use

Improves http error codes

Resolves overriding auth_time with wrong value