Based on the [OAuth for Protocells design](https://gitlab.com/gitlab-org/architecture/auth-architecture/design-doc/-/blob/main/proposals/005-oauth_protocells.md#gitlab-as-an-oauth--oidc-provider), the IAM service should integrate with GitLab Rails as the Login provider. We would like to use Hydra's [Login flow](https://www.ory.com/docs/oauth2-oidc/custom-login-consent/flow) as inspiration for this. Requirements: - Consent UI - Present consent form with approve/deny options - Display all requested scopes with clear descriptions - Show client application details (name, logo, owner) - UI should match the current Doorkeeper consent screen UI - Consent Challenge Acceptance - Accept incoming redirects from IAM service with consent challenge parameter - Extract and validate consent challenge token from query parameters - Store consent challenge in session for verification callback - Fetch and display client information (name, logo, description) - Display authenticated user context - Consent Verification Callback - After user approval, make verification callback to IAM service with consent challenge token in callback request - Include granted scopes and custom claims - Handle callback success/failure responses - Store user's consent record - Redirect to the URL provided in the response - Consent Rejection - If user denies consent, send rejection callback to IAM service - Include consent challenge and error reason in rejection - Store user's consent rejection record - Clear consent challenge from session - Redirect user to appropriate denial confirmation page - Security Requirements - Consent Challenge Validation - format matches expected pattern - Store consent challenge securely in session, not exposed to client - Verify user is authenticated before displaying consent UI - Verify subject from consent challenge matches currently authenticated user - Validate that granted scopes are subset of or equal to requested scopes - Generate and validate CSRF token for consent form submission - Bind CSRF token to consent challenge and session - Reject form submissions with invalid or missing CSRF token