feat(oidc): id token for device authorization (#7088)

* cleanup todo

* pass id token details to oidc

* feat(oidc): id token for device authorization

This changes updates to the newest oidc version,
so the Device Authorization grant can return ID tokens when
the scope `openid` is set.
There is also some refactoring done, so that the eventstore can be
queried directly when polling for state.
The projection is cleaned up to a minimum with only data required for the login UI.

* try to be explicit wit hthe timezone to fix github

* pin oidc v3.8.0

* remove TBD entry

internal/domain/device_auth.go

@@ -2,28 +2,11 @@ package domain
 
 import (
 	"strconv"
-	"time"
-
-	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
 )
 
-// DeviceAuth describes a Device Authorization request.
-// It is used as input and output model in the command and query packages.
-type DeviceAuth struct {
-	models.ObjectRoot
-
-	ClientID   string
-	DeviceCode string
-	UserCode   string
-	Expires    time.Time
-	Scopes     []string
-	Subject    string
-	State      DeviceAuthState
-}
-
 // DeviceAuthState describes the step the
 // the device authorization process is in.
-// We generate the Stringer implemntation for pretier
+// We generate the Stringer implementation for prettier
 // log output.
 //
 //go:generate stringer -type=DeviceAuthState -linecomment
@@ -35,13 +18,14 @@ const (
 	DeviceAuthStateApproved                         // approved
 	DeviceAuthStateDenied                           // denied
 	DeviceAuthStateExpired                          // expired
-	DeviceAuthStateRemoved                          // removed
+
+	deviceAuthStateCount // invalid
 )
 
 // Exists returns true when not Undefined and
-// any status lower than Removed.
+// any status lower than deviceAuthStateCount.
 func (s DeviceAuthState) Exists() bool {
-	return s > DeviceAuthStateUndefined && s < DeviceAuthStateRemoved
+	return s > DeviceAuthStateUndefined && s < deviceAuthStateCount
 }
 
 // Done returns true when DeviceAuthState is Approved.