kawa
0a0c59319f
The register flow exchanged the auth code as a confidential client (Oidc:ClientId + Oidc:ClientSecret), requiring a pre-provisioned backing app with a secret. Drop client_secret from the exchange so it uses PKCE only — the backing app is now a public client and no secret touches the client-tenant register/connect flows. The toolbox's own OIDC sign-in still uses Oidc:ClientSecret (unchanged). Also enable user-secrets (UserSecretsId) so Oidc config stays out of the committed appsettings.json. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>