feat: Complete Azure SSO implementation (v0.1.3)

- Add SSO session cleanup task (10-min expiry, 60s purge interval)
- Change callback to redirect to frontend with tokens as query params
- Add sso_callback_url to SecurityConfig with serde default
- Add SsoCallbackPage.tsx for handling SSO callback redirects
- Add /auth/sso/callback public route to App.tsx
- Add Sign in with Microsoft Azure button to LoginPage
- Replace insecure decode_jwt_payload with verify_id_token
- Implement JWKS caching (1-hour TTL) and RSA signature verification
- Validate iss, aud, exp claims on id_token
- Add jsonwebtoken dependency to pm-web crate
- Update config.example.toml with sso_callback_url setting
- Add sso_callback_url to settings response (read-only from TOML)

crates/pm-core/src/config.rs

@@ -80,6 +80,9 @@ pub struct SecurityConfig {
     pub web_tls_cert_path: String,
     /// Web UI TLS key path
     pub web_tls_key_path: String,
+    /// Frontend URL to redirect to after SSO callback (default: http://localhost:5173/auth/sso/callback)
+    #[serde(default = "default_sso_callback_url")]
+    pub sso_callback_url: String,
 }
 
 impl AppConfig {
@@ -105,6 +108,10 @@ fn default_health_check_poll_interval() -> u64 {
     300
 }
 
+fn default_sso_callback_url() -> String {
+    "http://localhost:5173/auth/sso/callback".to_string()
+}
+
 impl Default for AppConfig {
     fn default() -> Self {
         Self {
@@ -142,6 +149,7 @@ impl Default for AppConfig {
                 ca_key_path: "/etc/patch-manager/ca/ca.key".to_string(),
                 web_tls_cert_path: "/etc/patch-manager/tls/web.crt".to_string(),
                 web_tls_key_path: "/etc/patch-manager/tls/web.key".to_string(),
+                sso_callback_url: default_sso_callback_url(),
             },
         }
     }