Stop persisting OicSession in HTTP session when only OIDC state is required

[Vlatombe]

In a CloudBees CI HA setup, I recently upgraded to 4.297.vcddb_d8a_e4694 (including #310). The various changes to OicSecurityRealm broke serialization due to usage of an anonymous inner class (extending OicSession) that gets stored in session.

Storing OicSession in session is actually only required for a brief amount of time, only between doCommenceLogin and doFinishLogin. Once the user is logged in, it is no longer necessary to store the whole object. The only thing that needs to be persisted is the state, as it gets used later for logging out.

Testing done

Submitter checklist

• [x] Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• [x] Ensure that the pull request title represents the desired changelog entry
• [x] Please describe what you did
• [ ] Link to relevant issues in GitHub or Jira
• [ ] Link to relevant pull requests, esp. upstream and downstream changes
• [x] Ensure you have provided tests - that demonstrates feature works or fixes the issue

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 72.02%. Comparing base (bca3705) to head (b7205f1). Report is 14 commits behind head on master.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## master #353 +/- ## ============================================ - Coverage 72.46% 72.02% -0.45% - Complexity 201 234 +33 ============================================ Files 9 11 +2 Lines 839 990 +151 Branches 119 142 +23 ============================================ + Hits 608 713 +105 - Misses 170 199 +29 - Partials 61 78 +17 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.