afcd230c3a
The /exchange-token endpoint was not sending the code_verifier to the token endpoint, rendering PKCE protection ineffective. Add the verifier to the POST body so the IdP can validate the authorization code exchange. Also add secure=True and samesite='Lax' to all OIDC cookies on /login to improve cookie security per the recommended remediation. Refs vuln-0004