docs: add infrastructure guide for JWT in Docker and refactor Keycloak config

Added a detailed guide (`jwt-in-docker.md`) to address JWT validation challenges in Docker environments (Split Horizon issue). Refactored Keycloak realm configuration (`meldestelle-realm.json`) with updated roles, clients, and improved infrastructure clarity. Updated `.env` variables for streamlined token validation. Adjusted Docker Compose services (`dc-backend.yaml`) to use revised Keycloak environment variables.

dc-backend.yaml

@@ -28,8 +28,8 @@ services:
       DEBUG: "${GATEWAY_DEBUG:-true}"
 
       # --- KEYCLOAK ---
-      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: "${SSEC_ISSUER_URI:-http://keycloak:8080/realms/meldestelle}"
-      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI: "${SSEC_JWK_SET_URI:-http://keycloak:8080/realms/meldestelle/protocol/openid-connect/certs}"
+      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: "${KC_ISSUER_URI}"
+      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI: "${KC_JWK_SET_URI}"
 
       # --- CONSUL ---
       SPRING_CLOUD_CONSUL_HOST: "${CONSUL_HOST:-consul}"
@@ -98,6 +98,10 @@ services:
       DEBUG: "${PING_DEBUG:-true}"
       SERVER_PORT: "${PING_SERVER_PORT:-8082}"
 
+      # --- KEYCLOAK ---
+      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI: "${KC_ISSUER_URI}"
+      SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI: "${KC_JWK_SET_URI}"
+
       # --- CONSUL ---
       SPRING_CLOUD_CONSUL_HOST: "${CONSUL_HOST:-consul}"
       SPRING_CLOUD_CONSUL_PORT: "${CONSUL_HTTP_PORT:-8500}"