Matching response_types for authz requests is too strict

[schlenk]

To reproduce:

Register a client for the response_types=['token id_token'] for an implicit flow.
Try to get an access token with response_type='id_token token' and it fails, try it with response_type='token id_token' and it works.

Both forms should work according to RFC 6749 3.1.1.

Extension response types MAY contain a space-delimited (%x20) list of
values, where the order of values does not matter (e.g., response
type "a b" is the same as "b a").

The code responsible for this is in provider.py and is a bit too dumb to handle permutations of the order.

try:
    rtypes = _cinfo['response_types']
except KeyError:
    rtypes = ['code']  # default according to OIDC registration

if ' '.join(areq["response_type"]) not in rtypes:
    return error("invalid_request",
                       "Trying to use unregistered response_typ")

[rohe]

Granted. Do a PR and I'll accept it.

[rohe]

Resolve in PR #427