feat: OIDC SSO provider support (Keycloak, Azure AD, custom)

- Refactored azure_sso.rs to sso.rs with generic OIDC provider support
- Added OIDC discovery URL lookup with 1hr TTL caching
- Added PKCE for all providers, client_secret optional for public clients
- Added /api/v1/auth/sso/login and /api/v1/auth/sso/callback routes
- Added /api/v1/auth/azure/* backward-compatible routes
- Added POST /settings/sso/discover and POST /settings/sso/test endpoints
- Frontend: Provider dropdown (Keycloak/Azure AD/Custom OIDC)
- Frontend: Auto-fill discovery URL for Keycloak
- Frontend: Discover Endpoints and Test Connection buttons
- Frontend: Dynamic SSO button based on provider display name
- Made migration 014 idempotent with DO blocks and IF NOT EXISTS
- Fixed debian/install to use /usr/local/bin/ for binaries
- Fixed frontend file path in .deb package
- Reset admin password on dev server
- Fixed database permissions for oidc_config table

frontend/src/pages/SsoCallbackPage.tsx

@@ -52,13 +52,15 @@ export default function SsoCallbackPage() {
     }
 
     // Build a full User object from the SSO subset, filling in sensible defaults
+    // auth_provider comes from the backend based on the OIDC provider type
+    const authProvider = (parsedUser.auth_provider as string) || 'azure_sso'
     const user: User = {
       id: (parsedUser.id as string) || '',
       username: (parsedUser.username as string) || '',
       display_name: (parsedUser.display_name as string) || '',
       email: (parsedUser.email as string) || '',
       role: (parsedUser.role as User['role']) || 'operator',
-      auth_provider: 'azure_sso',
+      auth_provider: authProvider as User['auth_provider'],
       mfa_enabled: (parsedUser.mfa_enabled as boolean) ?? false,
       is_active: true,
       force_password_reset: false,