feat: specify login UI version on instance and apps (#9071)

# Which Problems Are Solved

To be able to migrate or test the new login UI, admins might want to
(temporarily) switch individual apps.
At a later point admin might want to make sure all applications use the
new login UI.

# How the Problems Are Solved

- Added a feature flag `` on instance level to require all apps to use
the new login and provide an optional base url.
- if the flag is enabled, all (OIDC) applications will automatically use
the v2 login.
  - if disabled, applications can decide based on their configuration
- Added an option on OIDC apps to use the new login UI and an optional
base url.
- Removed the requirement to use `x-zitadel-login-client` to be
redirected to the login V2 and retrieve created authrequest and link
them to SSO sessions.
- Added a new "IAM_LOGIN_CLIENT" role to allow management of users,
sessions, grants and more without `x-zitadel-login-client`.

# Additional Changes

None

# Additional Context

closes https://github.com/zitadel/zitadel/issues/8702

internal/query/auth_request_test.go

@@ -1,6 +1,7 @@
 package query
 
 import (
+	"context"
 	"database/sql"
 	"database/sql/driver"
 	_ "embed"
@@ -45,11 +46,12 @@ func TestQueries_AuthRequestByID(t *testing.T) {
 		checkLoginClient  bool
 	}
 	tests := []struct {
-		name    string
-		args    args
-		expect  sqlExpectation
-		want    *AuthRequest
-		wantErr error
+		name            string
+		args            args
+		expect          sqlExpectation
+		permissionCheck domain.PermissionCheck
+		want            *AuthRequest
+		wantErr         error
 	}{
 		{
 			name: "success, all values",
@@ -138,7 +140,7 @@ func TestQueries_AuthRequestByID(t *testing.T) {
 			wantErr: zerrors.ThrowInternal(sql.ErrConnDone, "QUERY-Ou8ue", "Errors.Internal"),
 		},
 		{
-			name: "wrong login client",
+			name: "wrong login client / not permitted",
 			args: args{
 				shouldTriggerBulk: false,
 				id:                "123",
@@ -157,7 +159,47 @@ func TestQueries_AuthRequestByID(t *testing.T) {
 				nil,
 				nil,
 			}, "123", "instanceID"),
-			wantErr: zerrors.ThrowPermissionDeniedf(nil, "OIDCv2-aL0ag", "Errors.AuthRequest.WrongLoginClient"),
+			permissionCheck: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+				return zerrors.ThrowPermissionDenied(nil, "id", "not permitted")
+			},
+			wantErr: zerrors.ThrowPermissionDenied(nil, "id", "not permitted"),
+		},
+		{
+			name: "other login client / permitted",
+			args: args{
+				shouldTriggerBulk: false,
+				id:                "123",
+				checkLoginClient:  true,
+			},
+			expect: mockQuery(expQuery, cols, []driver.Value{
+				"id",
+				testNow,
+				"otherLoginClient",
+				"clientID",
+				database.TextArray[string]{"a", "b", "c"},
+				"example.com",
+				database.NumberArray[domain.Prompt]{domain.PromptLogin, domain.PromptConsent},
+				database.TextArray[string]{"en", "fi"},
+				nil,
+				nil,
+				nil,
+			}, "123", "instanceID"),
+			permissionCheck: func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+				return nil
+			},
+			want: &AuthRequest{
+				ID:           "id",
+				CreationDate: testNow,
+				LoginClient:  "otherLoginClient",
+				ClientID:     "clientID",
+				Scope:        []string{"a", "b", "c"},
+				RedirectURI:  "example.com",
+				Prompt:       []domain.Prompt{domain.PromptLogin, domain.PromptConsent},
+				UiLocales:    []string{"en", "fi"},
+				LoginHint:    nil,
+				MaxAge:       nil,
+				HintUserID:   nil,
+			},
 		},
 	}
 	for _, tt := range tests {
@@ -168,6 +210,7 @@ func TestQueries_AuthRequestByID(t *testing.T) {
 						DB:       db,
 						Database: &prepareDB{},
 					},
+					checkPermission: tt.permissionCheck,
 				}
 				ctx := authz.NewMockContext("instanceID", "orgID", "loginClient")