Corellate user sessions with access tokens

[kschiffer]

Summary

References #1422 #1844

This PR will store the session ID together with the access token. This way, we can correlate the session ID being able to:

• Implement proper client-initiated logout, by terminating only the user session that was used to create the access token
• Implement federated logout, by deleting all access tokens that were issued using this session ID and thus forcing clients to logout

Changes

• Update access token and auth code protos
• Update oauth logic to pass and store the session id to the auth code and access token record

Notes for Reviewers

This PR is a follow up of #2122 and the first of a series of changes leading to a more robust auth flow as well as the introduction of the new account app (#1422).

DB migration is necessary after this change ttn-lw-stack is-db migrate

Checklist

• Scope: The referenced issue is addressed, there are no unrelated changes.
• Compatibility: The changes are backwards compatible with existing API, database and configuration, according to the stability commitments in README.md.
• Testing: The changes are covered with unit tests. The changes are tested manually as well.
• Documentation: Relevant documentation is added or updated.
• Changelog: Significant features, behavior changes, deprecations and fixes are added to CHANGELOG.md.
• Commits: Commit messages follow guidelines in CONTRIBUTING.md, there are no fixup commits left.

[htdvisser]

Please add some checks to pkg/identityserver/oauth_registry_test.go to verify that the session ID is stored and retrieved correctly.

Please add some checks to pkg/oauth/server_test.go to verify that the session ID is properly stored in the authorization code, and propagated on authorization code exchange and token refresh.

[johanstokking]

Code owned files LGTM

[coveralls]

Coverage increased (+0.004%) to 73.345% when pulling 361ce27 on feature/token-session-correlation into d672874 on master.