Improve oauth security

[ThiefMaster]

• Use the code+PCKE flow instead of implicit flow to get the token (depends on Amazon - Dealing with the Implicit Grant Depreciated Issue / implementing Authorization code grant MrSwitch/hello.js#633)
• Stop sending the access token via query string but as a header instead

Unless Indico 3.0 is released by the time we release this, we need to keep support for the old implicit flow (and confirm whether 2.3 supports the access token in a header) and only use the new one if the server is running on indico v3.

If we manage to improve this before the indico v3 release (and publish to both the iOS and Android app stores), the "Support implicit grant for the checkin app" commit in Indico should be be reverted as it won't be needed anymore.