[OIDC] Secure state carrying using signed/verified JWT tokens

[AlexTugarev]

Context

• The underlying OAuth2 protocol recommend using of a state parameter as a measure of protection agains CSRF attacks. The key principle is, that the state parameter echoed back by the IdP is matched against a state hold by the user agent, so if that state is unique per flow execution, the integrity of the session can be verified.
• In addition to a single unique state value, clients in addition may encode useful payload to improve UX. One common use case is the returnTo URL which can be used to redirect user's browser agent to the point where they've been asked to authorize.
• JWT is well-known way to encode and sign a JSON object, to be used as URL parameter.

TODO

• inject secrets to enable signing/verifying JWTs
• implement and verify in tests that JWT used in OIDC flows are signed
• verify in tests that unverifiable JWTs are rejects, and OIDC flows do fail

[AlexTugarev]

Implemented in #16317.