LIFF should request "Profile" instead of "Open ID"

[MrOrz]

As-is

Currently Cofacts LIFF requests for openid and chat_message.write scope.

This triggers the following consent window when the user first opens Cofacts LIFF:

Currently the "用戶識別資訊 (必要資訊)" has caused confusion and intimidated users from proceeding.

To-be

We should use profile instead. If we do so, the consent window will become something similar to:

The wording of "Profile" scope (個人檔案) is more welcoming to the users.

To achieve this, we should replace current ID token mechanism with access token + get profile API from chatbot server.

Furthermore, we can access liff.getFriendship() after we have access to profile scope, allowing us to display links to add Cofacts chatbot to those who did not.

Implementation detail

1. We can replace the current mechanism of passing ID tokens to passing access token instead.
2. On server side, we replace ID token verification mechanism with calling /v2/profile for the userId.
3. We don't need to call /oauth2/v2.1/verify, /v2/profile should be enough just for retrieving trustworthy userId from LINE.

Other notes

• This issue does not nessasarily cover the deprecation of urlToken param mechanism.
• This issue does not cover chat_message.write (傳送訊息至聊天室). Removing this scope requires siginificant rewrite of the chatbot workflows, which are outlined here.