Fix: Remove custom OIDC redirect paths, use Quarkus defaults

- Removed quarkus.oidc.authentication.redirect-path=/auth/callback
- Removed quarkus.oidc.authentication.redirect-uri explicit setting
- Changed cookie-same-site from strict to lax for OAuth compatibility
- Keycloak client updated with wildcard redirectUris: https://unionflow.lions.dev/*

This allows Quarkus OIDC to use its default callback paths instead of
the non-existent /auth/callback path that was causing 502 errors.

Fixes OAuth callback 502 Bad Gateway error.

src/main/resources/application-prod.properties

@@ -68,14 +68,12 @@ quarkus.oidc.auth-server-url=${KEYCLOAK_AUTH_SERVER_URL:https://security.lions.d
 quarkus.oidc.client-id=unionflow-client
 quarkus.oidc.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
 quarkus.oidc.application-type=web-app
-quarkus.oidc.authentication.redirect-path=/auth/callback
 quarkus.oidc.authentication.force-redirect-https-scheme=true
-quarkus.oidc.authentication.redirect-uri=https://unionflow.lions.dev/auth/callback
 quarkus.oidc.authentication.restore-path-after-redirect=true
 quarkus.oidc.authentication.scopes=openid,profile,email,roles
 quarkus.oidc.token.issuer=https://security.lions.dev/realms/unionflow
 quarkus.oidc.tls.verification=required
-quarkus.oidc.authentication.cookie-same-site=strict
+quarkus.oidc.authentication.cookie-same-site=lax
 quarkus.oidc.authentication.java-script-auto-redirect=false
 quarkus.oidc.discovery-enabled=true
 quarkus.oidc.verify-access-token=true