Alias GitHub/Bitbucket Cloud OAuth2 callback URLs to prevent covert redirections
From https://gitlab.com/gitlab-com/gl-infra/production/issues/662, we have an issue where we can't securely share the same OAuth2 application among GitHub logins and imports because the callback URLs are different:
The same goes for Bitbucket.
Either we have to put these callbacks under the same URL structure (e.g.
/callbacks/oauth/github/login), or we have to split the OAuth2 credentials into 2 different applications.
On the infra side, it should be possible to use a separate subdomain (e.g.
oauth.gitlab.com) to handle all OAuth2 callbacks, but that seems like a separate issue.