feat: implement OIDC PKCE flow for Keycloak login with frontend-client

Completed OIDC Authorization Code Flow with PKCE (S256) for JS and JVM platforms.
- Added `launchOidcFlow`, `consumePendingOidcCallback`, and `getOidcRedirectUri` with platform-specific implementations.
- Integrated SHA-256 and Base64URL helpers for PKCE.
- Updated `LoginViewModel` with OIDC logic (key handling, token exchange, state validation).
- Enhanced `LoginScreen` with an OIDC login button and loading spinner.
- Verified implementation with system hardening roadmap tasks.

Includes browser redirects for JS, localhost HTTP callback for JVM, and built-in Keycloak URL construction.

Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>

docs/01_Architecture/_archive/2026-01-15_Roadmap_System_Hardening.md

@@ -68,5 +68,10 @@ last_update: 2026-03-09
     - Prüfen der `kotlinx-browser` Version.
 
 ### 3.2 Auth Integration
-- [ ] **OIDC Client:** _(offen — abhängig von Keycloak Härtung)_
-    - Implementierung des Login-Flows mit `ktor-client-auth` und Keycloak.
+
+- [x] **OIDC Client:** _(verifiziert 2026-03-09)_
+  - PKCE Authorization Code Flow (S256) mit `frontend-client`.
+  - Pure Kotlin SHA-256 + PkceHelper (commonMain, kein expect/actual).
+  - JVM: lokaler Callback-Server (Port 18080) + `Desktop.browse()`.
+  - JS: Seiten-Redirect + URL-Parsing beim App-Start + `replaceState`-Bereinigung.
+  - `LoginViewModel` + `LoginScreen` um OIDC-Button erweitert.