Make Entra app-registration flow secretless (public PKCE)

The register flow exchanged the auth code as a confidential client
(Oidc:ClientId + Oidc:ClientSecret), requiring a pre-provisioned
backing app with a secret. Drop client_secret from the exchange so it
uses PKCE only — the backing app is now a public client and no secret
touches the client-tenant register/connect flows.

The toolbox's own OIDC sign-in still uses Oidc:ClientSecret (unchanged).

Also enable user-secrets (UserSecretsId) so Oidc config stays out of
the committed appsettings.json.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Infrastructure/OAuth/OAuthEndpoints.cs

@@ -133,15 +133,13 @@ public static class OAuthEndpoints
 
             if (flowState.IsRegistration)
             {
-                // ── Registration flow: confidential client exchange (OIDC app + secret) ──
-                var oidcClientId     = config["Oidc:ClientId"]!;
-                var oidcClientSecret = config["Oidc:ClientSecret"]!;
+                // ── Registration flow: public client exchange (PKCE only, no secret) ──
+                var oidcClientId = config["Oidc:ClientId"]!;
 
                 var body = new Dictionary<string, string>
                 {
                     ["grant_type"]    = "authorization_code",
                     ["client_id"]     = oidcClientId,
-                    ["client_secret"] = oidcClientSecret,
                     ["code"]          = code,
                     ["redirect_uri"]  = o.RedirectUri,
                     ["code_verifier"] = flowState.CodeVerifier,