Auto-determine idp.duo.oidc.redirectURL

OK, this now works for both cases - in the cleanest way I think I can for now. The approach is as follows:

1. Always set the redirect_uri on the 'first' request (whichever gets there first - is synchronized) from:

   1. A pre-registered redirect_uri from the properties file 

   2. One computed from the Host header checked against allowed origins.

2. Then, for Clients that support per-request redirect_uris (described by their capabilities), and where a redirect_uri is not pre-registered, an 'override_redirect_uri' is added to the Duo authn context and passed into the client when it is needed.

The Duo WebSDK client supports (1) only, but the Shib Nimbus client supports (1) and (2). 

I will clean up the tests and push these changes.

I'll have a think on supporting both. 

I don't know that doing it once is a problem really, but I guess I'd probably do #2 and if possible support #1 for the other implementation. Otherwise I'd probably just stick with #1 for both if that's easier, it should be good enough.

I have two POCs, there are pros and cons to each technically, but functionally I am struggling to decide if one is better. These are (note, only apply if not explicitly set, and both only allow origins from the allow list):

1. (Supports both clients) Computes and sets the redirect from the ‘first’ request. Every other request uses the same redirectURI.

2. (Only supports the Shib Nimbus Client) Computes the redirectURI per request.

Option 2 feels better and more flexible and could be useful in practice e.g. one IdP instance behind different vhosts configured as different SAML entities. But I am not sure if that is actually likely or if there are better cases where this would apply.  would you have a preference?

I'm thinking to fix the scheme to 'https' as well in-case that was downgraded. Unless we allow scheme in the hostname allow list.