Merge branch 'omniauth-csrf' into 'master'

Protect OmniAuth request phase against CSRF.

Addresses #2268.

See merge request !1793