[HTTP] Fix api/oas dev route (#223487)

## Summary

This fixes the `api/oas` route that was broken due to missing
`security.authz` param.

In #220231 the `security.authz` param is asserted as non-null but when
the route is assigned directly from the `internalSetup.server`, this is
not the case. I believe this is the only such case where this applies.

### Checklist

- [x] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.

---------

Co-authored-by: Elena Shostak <[email protected]>

Author: nickofthyme

src/core/packages/http/server-internal/src/http_service.ts

@@ -273,7 +273,7 @@ export class HttpService
       version: schema.maybe(schema.string()),
       excludePathsMatching: schema.maybe(stringOrStringArraySchema),
       pathStartsWith: schema.maybe(stringOrStringArraySchema),
-      pluginId: schema.maybe(schema.string()),
+      pluginId: schema.maybe(schema.string()), // i.e. `@kbn/lens-plugin`
     });
 
     server.route({
@@ -324,7 +324,15 @@ export class HttpService
         );
       },
       options: {
-        app: { access: 'public' },
+        app: {
+          access: 'public',
+          security: {
+            authz: {
+              enabled: false,
+              reason: 'Dev only route',
+            },
+          },
+        },
         auth: false,
         cache: {
           privacy: 'public',