Migrate to token introspection endpoint
Instead of using the, legacy, IndieAuth token endpoint, we can instead use the RFC7662 compliant token introspection.
As we're now using spec-compliant introspection, we can remove
IndieAuthOpaqueTokenIntrospector
, instead letting an existing
implementation do this for us, as well as removing the WebFlux
dependencies.
By using existing introspection classes, we remove the ROLE_ME
usage,
and instead need to rely on the name
, which is delegated by the sub
field in our responses.
This requires we extract the check to a bean, allowing for a constant
annotation value, but runtime validation of the profile URL in the
name
against the expected profile URL.
We currently do not authenticate our requests, but will require it as part of #394.
Closes #353 (closed), #288 (closed).