This avoids browsers messing up the session state (given that /login
calls session.Reset) with requests to various kinds of well-known URLs
that might not exist.

Also add an integration test for a server with non-nil URL prefix.

Fix a pretty fundamental error where group memberships could not be
verified. Also adds tests to ensure this does not happen again.

The login handler is now a simpler, standalone http.Handler
wrapper. The separation between the SSO application and the login
handler is now fairly complete.

The login handler no longer forces the user to a specific workflow via
session cookies, but it works on a request-by-request basis instead,
which makes the "back" button works as expected (allowing the user to
bail out of a broken 2FA process, for example).

Session handling has been simplified as well: there is a single
session for authentication and login state, which should remove the
opportunity for session synchronization errors.

And move the CORS handler only on the homepage endpoint.

First step towards letting users pick the method they prefer.

Just serve an error on the logout page if there is no valid session,
instead of redirecting to the login workflow.