There is no point in using the complex gorilla/sessions machinery for
storing a simple long-term cookie, just use gorilla/securecookie directly.

If we don't, they will trigger the login handler and invalidate the
current session (if any), which prevents the user from being able to
log in.

Being consistent across runs avoids generating spurious git changes.

Remove the build-time dependency on Python, the sri_map is now
generated via a small Go script.

The login handler is now a simpler, standalone http.Handler
wrapper. The separation between the SSO application and the login
handler is now fairly complete.

The login handler no longer forces the user to a specific workflow via
session cookies, but it works on a request-by-request basis instead,
which makes the "back" button works as expected (allowing the user to
bail out of a broken 2FA process, for example).

Session handling has been simplified as well: there is a single
session for authentication and login state, which should remove the
opportunity for session synchronization errors.

Temporary workaround if we do not want to maintain a whitelist.

And move the CORS handler only on the homepage endpoint.

This allows eventual future usage of 307 redirects and us accepting
POST requests without having to decode the request body.

The sso service endpoint should send the proper CORS headers and
respond to OPTIONS (for CORS prefetches) so that XmlHttpRequests on
authenticated sites can (partially) work.

Add links 'use a numeric / hardware token instead' to the 2FA login
pages, using the list of available 2FA mechanisms found in the
auth Response.

First step towards letting users pick the method they prefer.

This caused the SSO server to generate bad form links, which caused a
302, preventing POST requests to succeed.

Support serving site-specific logo, favicon, and setting a site title.

Upgrade it to 4.1.3, including dependencies.

Just serve an error on the logout page if there is no valid session,
instead of redirecting to the login workflow.

Fixes issue #8.

Fixes issue #6.

And standardize on a single structure for the gorilla session
map, using the 'data' key for our gob-encoded objects.

Using the new configuration variable 'keystore_enable_groups'.

Likely fixes issue #7 (untested).