Need to return 200 on OPTIONS for AuthType auth-openidc when session cookie not available

[abg35]

When the AuthType is oauth20, the module returns a 200 when it receives an OPTIONS request, since OPTIONS requests do not send the Authorization header.

However, when the AuthType is auth-openidc, an OPTIONS request is unauthorized unless there is an OIDC session cookie. This means that the auth-openidc AuthType doesn't work for cors, since many browsers first send the OPTIONS request. Requesting that for OPTIONS request with auth-openidc, it also returns a 200, or that it can be configured to do so.

[zandbelt]

sorry it took a while to get to this, but this is now addressed in c675949