skip inst-fs pixel during other oauth flow

fixes CORE-1744

for example, when the other app's oauth flow is on the confirm page.
they'll have info in session[:oauth2] that would get overwritten during
the pixel's initiated oauth flow. we can wait until their down and
display the pixel on the next page after that.

test-plan:
- have inst-fs enabled
- have another app using oauth against canvas which _isn't_ trusted
  (will show confirm page)
- in an incognito window (so a login will be forced), try and
  authenticate the other app, triggering an oauth flow against canvas
- when the confirm page is displayed for that app, the inst-fs pixel
  should not be included
- when the confirm button is clicked, the oauth of the other app
  concludes successfully
- the next canvas page viewed displays the inst-fs pixel instead

Change-Id: I9b80145dfc79e393a3b6fe17c3b62566e392416c
Reviewed-on: https://gerrit.instructure.com/161567
Reviewed-by: Cody Cutrer <cody@instructure.com>
Tested-by: Jenkins
QA-Review: Michael Jasper <mjasper@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>

lib/inst_fs.rb

@@ -23,6 +23,7 @@ module InstFS
     end
 
     def login_pixel(user, session, oauth_host)
+      return if session[:oauth2] # don't stomp an existing oauth flow in progress
       if !session[:shown_instfs_pixel] && user && enabled?
         session[:shown_instfs_pixel] = true
         pixel_url = login_pixel_url(token: session_jwt(user, oauth_host))