feat: specify login UI version on instance and apps (#9071)

# Which Problems Are Solved

To be able to migrate or test the new login UI, admins might want to
(temporarily) switch individual apps.
At a later point admin might want to make sure all applications use the
new login UI.

# How the Problems Are Solved

- Added a feature flag `` on instance level to require all apps to use
the new login and provide an optional base url.
- if the flag is enabled, all (OIDC) applications will automatically use
the v2 login.
  - if disabled, applications can decide based on their configuration
- Added an option on OIDC apps to use the new login UI and an optional
base url.
- Removed the requirement to use `x-zitadel-login-client` to be
redirected to the login V2 and retrieve created authrequest and link
them to SSO sessions.
- Added a new "IAM_LOGIN_CLIENT" role to allow management of users,
sessions, grants and more without `x-zitadel-login-client`.

# Additional Changes

None

# Additional Context

closes https://github.com/zitadel/zitadel/issues/8702

internal/api/grpc/settings/v2/integration_test/settings_test.go

@@ -237,7 +237,7 @@ func TestServer_GetActiveIdentityProviders(t *testing.T) {
 		{
 			name: "permission error",
 			args: args{
-				ctx: instance.WithAuthorization(CTX, integration.UserTypeLogin),
+				ctx: instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 				req: &settings.GetActiveIdentityProvidersRequest{},
 			},
 			wantErr: true,