The user can now authenticate with the authorization
server's authorization endpoint and receive a fake
id token.

Client must now be registered prior to imitating a
call to the token endpoint with the password flow.

Squashed commits:

[fdcef62] Rename authorization endpoint to protected resource endpoint

closes #6615

this commit could also be named "Remove user error", but that would look
like I am too stupid to use bundler.