Allow configuring OIDC state cookie age

[sberyozkin]

Closes #40268.

The situation in #40268 was confirmed to be resolved, but I'd like to close it with a somewhat related hardening improvement - if the state cookies are lost for some reasons, at least their age is controlled and is not set for the reasons I don't recall now to 30 mins which is a way too long for state cookies and the browser will clear these cookies much faster.
It will also let users manage the expectations how long an authorization code flow can run. For example, if the user has been redirected to authenticate to the OIDC provider and the state cookie is set to 3 mins but the user is returned back in 20 mins (why ?) then the browser will lose the state cookie and the authentication will have to be restarted.

Also updated the OIDC code flow doc, changed the TOC along the way a bit to make some sections more visible.

[quarkus-bot]

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit 24d346f.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

⚠️ There are other workflow runs running, you probably need to wait for their status before merging.

[github-actions]

🙈 The PR is closed and the preview is expired.

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 24d346f.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.