Modify user-with-certificate login workflow so the password is not asked

[franck-boucher]

No description provided.

[tbroyer]

Fwiw, the reason it hadn't been done was:

This approach raises a lot a questions: how do you logout? Specifically, how do we identify the user session so we can revoke all tokens issued during its lifetime? What should the auth_claim value be and how that value would be passed to the Token Endpoint in the absence of a SidToken? (added to the AuthorizationCode?)
If we create a new kind of token to identify a client-certificate session, we'd have to be careful to take it into account everywhere in the Kernel; and when would it expire?

Original in French

Cette approche laisse beaucoup de questions en suspens : comment s’opère la déconnexion ? Notamment, comment identifie-t-on une session de l’utilisateur de sorte à
pouvoir révoquer tous les tokens issus lors de celle-ci ? Que vaut le claim auth_time et
comment passer la valeur au Token Endpoint en l’absence de SidToken ? (ajouté à
l’AuthorizationCode ?)
Si on crée un nouveau type de token pour identifier une session par certificat, il faudra bien
prendre en compte ce nouveau type partout dans le Kernel ; également, quand expirera-t-il ?

Currently, the Kernel is working as designed (as was communicated by mail, to @bobeal and a couple other people at @SICTIAM, on that specific subject on 2017-01-18), and it won't change until those questions are answered.

I'm open to discussion, but this needs to be thought through.