#20628 Enable implicit flow in Gitlab as OAuth Provider

What does this MR do?

Enables implicit flow in Gitlab as OAuth provider.

Why was this MR needed?

This will enable users to use Gitlab OAuth provider for user-agent-based application (e.g. running on GitLab Pages).

Does this MR meet the acceptance criteria?

• Changelog entry added, if necessary
• Documentation created/updated
• API support added
• Tests
  • Added for this feature/bug - _I'm not sure if this can be unit-tested, application for manual tests provided
  • All builds are passing
• Conform by the merge request performance guides
• Conform by the style guides
• Branch has no merge conflicts with master (if it does - rebase it please)
• Squashed related commits together

What are the relevant issue numbers?

Closes #20628 (closed) - Enable OAuth Implicit Grant, with that enabled it also resolves #2716 (closed) and #19470 (closed) as all the browser clients can apply best practices that don't require CORS for /oauth/token.

I followed up the work done by @medokin (kudos) in !6078 (closed), rebased and added some documentation.

Simple Angular app for oauth testing can be found at empe/gitlab-implicit-grant-demo.

Concerns:

• Commit 5194214e disabled TTL on tokens - the whole point of using access tokens is their limited timespan. Are there any arguments not to limit the token TTLs to at least one week?
• As an OAuthProvider client in most cases I'm only interested in user authentication, but it seems that when using implicit flow and obtaining identity via /api/v4/user endpoint requires api scope, which it an overkill for most of non GitLab related apps. Wouldn't read_user be sufficient?