- Skipped v3 as that is already in use on enterprise.

(cherry picked from commit da984b2d)

* core: add hook for initializing seals for migration

Needed in enterprise version.

Fixes #7588

The OIDC Discovery standard requires the response_types_supported field
to be returned in the .well-known/openid-configuration response.

Also, the AWS IAM OIDC consumer won't accept Vault as an identity
provider without this field.

Based on examples in the OIDC Core documentation, it appears Vault
supports only the `id_token` flow, and thus that is the only value that
makes sense to be set in this field. See:

https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationExamples

* update linters

* do not swallow ControlGroupErrors when viewing or editing kvv2 secrets (#7504)

* do not swallow ControlGroupErrors when viewing or editing kvv2 secrets

* test kv v2 control group workflow

* do not manually clearModelCache when logging out since this already happens when leaving the logout route

* remove pauseTest

* update comments

* wip - looking into why restricted user can see the control group protected secret after it has already been unwrapped once

* strip version from query params so we can unwrap a secret after it is authorized

* use attachCapabilities instead of lazyCapabilities to ensure models are cleaned up properly

* remove comment

* make ControlGroupError extend AdapterError

* fix broken redirect_to test

* one day i will remember to remove my debugger statements; today is not that day

* no need to check for a ControlGroupError since it extends an AdapterError

* see if using EmberError instead of AdapterError fixes the browserstack tests

* Revert "see if using EmberError instead of AdapterError fixes the browserstack tests"

This reverts commit 14ddd67cacbf1ccecb8cc2d1f59a2c273866da72.

* resolve redirect_to merge conflict

Fixes #6694

Currently this uses a fork of the api.Renewer code, which we should consolidate in 1.3.