Security hardening.
- OIDC id tokens are cryptographically validated: signature against provider JWKS plus iss/aud/exp/nonce; validated sub is authoritative (CWE-347). Adds PyJWT[crypto]
- PKCE code_verifier no longer placed in the state sent to the provider; kept server-side only (CWE-200)
- Host-derived redirect_uri validated against an allowed_hosts allowlist (CWE-601)
- OAuth error callback handled; redirects to failure_redirect
- State validation failures return a generic detail; reason logged internally (CWE-209)
- Provider URLs must be HTTPS; HTTP client disables redirect following (CWE-918)
- OAuthToken repr masks tokens (CWE-532)
- next redirect rejects any scheme/netloc (CWE-601)