This now works like so:
* Element redirects to synapse
* synapse redirects to the configured /authorize page, which requires login.
* The authorize page does an automatic request to the guarded /api/auth/approve route (and this point we could insert a UI to require manual approval, but I don't think it's required atm).
* The /api/auth/approve route runs through the verification of the query arguments such as the client_id etc (passport does the verification)
* Ultimately we get back a redirect location with an auth_token that will be returned to synapse via redirect, which will redirect to element
* voila!
This works but has some caveats:
* The client we create for matrix should probably only be able to access the oauth/token endpoint and the api/auth/info endpoint
* If we log out of element and then try to re-authenticate something fails because of an existing mapping I think.