Proxy routes should probably use a different prefix

[sporkmonger]

Describe the bug Currently the proxy has routes under /oauth2. While it's unlikely that apps that use SSO would also implement an OAuth 2 server, it's not impossible. In addition, the /oauth2/v1/certs endpoint is a bit misleading because, as best as I can tell, it has nothing to do with OAuth 2 and its behavior is unique to the SSO application rather than something that's been standardized.

Expected behavior My recommendation would be to follow the rough pattern of the "well-known" standard (RFC 5785) and place the proxy routes underneath a /.sso-proxy/ prefix instead. It's not actually a "well-known" URL or I'd recommend /.well-known/sso-proxy/, but the dot and the inclusion of the name in the URL prefix should all but eliminate any risk of namespace collisions as well as reducing confusion with respect to which endpoints are related to OAuth 2 or not.

[sporkmonger]

@malizz for visibility

[danbf]

this does sound like a great idea, was not aware of that RFC.

we have to be a bit careful of how to implement this and maybe do it in a two step method to not break current deployments.