Make Entra app-registration flow secretless (public PKCE)

The register flow exchanged the auth code as a confidential client
(Oidc:ClientId + Oidc:ClientSecret), requiring a pre-provisioned
backing app with a secret. Drop client_secret from the exchange so it
uses PKCE only — the backing app is now a public client and no secret
touches the client-tenant register/connect flows.

The toolbox's own OIDC sign-in still uses Oidc:ClientSecret (unchanged).

Also enable user-secrets (UserSecretsId) so Oidc config stays out of
the committed appsettings.json.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

SharepointToolbox.Web.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
@@ -6,6 +6,7 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <RootNamespace>SharepointToolbox.Web</RootNamespace>
     <NoWarn>$(NoWarn);NU1701;CS0618</NoWarn>
+    <UserSecretsId>ab5b666b-ca8d-4799-90ee-ec5e23658112</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>