feat: redirect to OIDC providers only once in registration flows

[David-Wobrock]

When doing a social sign-in, but some required identity fields are not provided by the social provider, Kratos switches to a registration flow in order to fill the missing data.

As #2863 describes it, the idea is that instead of redirecting back to the social provider when submitting the registration form, we handle the registration directly by Kratos and the previously stored OIDC data.

The main rationale is that it feels very unusual for users to select twice your Google account (for instance) during social sign-in. Or even more if more errors occur on the registration form.

Three steps fix this issue:

1. Store OIDC data when processing the registration: provider ID, tokens and claims are stored
2. When submitting an OIDC registration form, when OIDC data is stored, do not redirect to the provider, but instead load this data to process the registration. ⚠️ This has the side-effect that API calls (in e2e tests for instance) that previously were redirected to the social provider and became browser calls, now remain API calls.
3. When completed, delete the OIDC data from .

Related issue(s)

Fixes #2863

Core code based on #3416

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments