Make Entra app-registration flow secretless (public PKCE)

The register flow exchanged the auth code as a confidential client
(Oidc:ClientId + Oidc:ClientSecret), requiring a pre-provisioned
backing app with a secret. Drop client_secret from the exchange so it
uses PKCE only — the backing app is now a public client and no secret
touches the client-tenant register/connect flows.

The toolbox's own OIDC sign-in still uses Oidc:ClientSecret (unchanged).

Also enable user-secrets (UserSecretsId) so Oidc config stays out of
the committed appsettings.json.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Infrastructure/OAuth/OAuthEndpoints.cs

@@ -133,15 +133,13 @@ public static class OAuthEndpoints
 
             if (flowState.IsRegistration)
             {
-                // ── Registration flow: confidential client exchange (OIDC app + secret) ──
+                // ── Registration flow: public client exchange (PKCE only, no secret) ──
                 var oidcClientId = config["Oidc:ClientId"]!;
-                var oidcClientSecret = config["Oidc:ClientSecret"]!;
 
                 var body = new Dictionary<string, string>
                 {
                     ["grant_type"]    = "authorization_code",
                     ["client_id"]     = oidcClientId,
-                    ["client_secret"] = oidcClientSecret,
                     ["code"]          = code,
                     ["redirect_uri"]  = o.RedirectUri,
                     ["code_verifier"] = flowState.CodeVerifier,

SharepointToolbox.Web.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk.Web">
+<Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
     <TargetFramework>net10.0</TargetFramework>
@@ -6,6 +6,7 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <RootNamespace>SharepointToolbox.Web</RootNamespace>
     <NoWarn>$(NoWarn);NU1701;CS0618</NoWarn>
+    <UserSecretsId>ab5b666b-ca8d-4799-90ee-ec5e23658112</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>