There is no need for the complex gorilla/sessions machinery for what
is basically a single cookie, so we switch to using
gorilla/securecookie directly.

The login handler is now a simpler, standalone http.Handler
wrapper. The separation between the SSO application and the login
handler is now fairly complete.

The login handler no longer forces the user to a specific workflow via
session cookies, but it works on a request-by-request basis instead,
which makes the "back" button works as expected (allowing the user to
bail out of a broken 2FA process, for example).

Session handling has been simplified as well: there is a single
session for authentication and login state, which should remove the
opportunity for session synchronization errors.

Add methods to the httpsso package to retrieve authentication info
from the current session (by passing an *http.Request object).

Compute the origin properly.

Using CORS-enabled requests in the background.

Panic on short reads and other errors.

The proxy wraps endpoints (exposed as separate HTTP hosts) with single-sign-on
authentication.