and remove roles and oidc specifics. Instead we provide the session
in the core and forward requests to a oidc specific backend.

This also means the session can provide useful values even in case
it is used from the CLI and unauthenticated.