harden(oidc): relax alg-downgrade IdP-bind check to intersection-empty (Keycloak compat)

Phase-10 live-IdP smoke (Keycloak 26.x via testcontainers-go) revealed
the IdP-bind alg-downgrade check was too strict for real-world IdPs.
6 of the integration tests in internal/auth/oidc/integration_keycloak*_test.go
were failing with:

  oidc: IdP advertises weak signing algorithms (HS*/none);
  refusing to use as defense against downgrade attacks: HS256

Keycloak 26.x (and several other real-world IdPs — Auth0 when HS-mode is
enabled, some Authentik configs) advertise EVERY alg they're capable of
in the discovery doc's id_token_signing_alg_values_supported field, even
when the realm only signs with RS256 in practice. Pre-fix the IdP-bind
check refused on ANY HS* or 'none' advertisement → no real Keycloak deploy
could ever bind a provider row, hence the integration-test failures.

The strict-deny check was defense-in-depth on top of the load-bearing
per-token alg-pin at sig-verify time (isDisallowedAlg, service.go L1177):
that check rejects every ID token whose JWS header carries an alg outside
DefaultAllowedAlgs, regardless of what the discovery doc advertises.
A forged HS256 token signed with the IdP's RS256 pubkey as HMAC secret
is rejected at sig-verify time → the actual algorithm-confusion attack
is closed by the per-token pin, NOT by the discovery-doc check.

Fix: relax the IdP-bind check to refuse only when the intersection of
advertised vs DefaultAllowedAlgs is EMPTY (the pathological all-weak-alg
IdP case). Keycloak (RS256 + HS256 advertised) now binds successfully;
an HS-only IdP still fails closed.

Changes:
- internal/auth/oidc/service.go: rewrite the alg-check loop at L1067 in
  getOrLoad / RefreshKeys to compute the intersection set; refuse only
  when no acceptable alg is advertised. ErrIdPDowngradeAdvertised
  docstring updated to reflect new contract. DefaultAllowedAlgs
  docstring + the package-level design-comment block at L40-72 updated
  with v2.1.0-relaxed semantics callouts.
- internal/auth/oidc/test_discovery.go: TestDiscovery dry-run validator
  rewritten to surface HS*/none alongside RS* as an informational note
  ('note: IdP advertises weak algorithms %v alongside acceptable ones')
  rather than a hard-fail error. HS-only / none-only still hard-fails.
- internal/auth/oidc/service_test.go: TestService_IdPDowngradeDefense_*
  tests updated. Renamed:
  - RejectsHSAdvertised → RS256PlusHS256_BindsSuccessfully (positive)
  - RejectsNoneAdvertised → RejectsHSOnlyAdvertised (intersection-empty)
  - RefreshKeys_CatchesPostLoadDowngrade rotated to HS-only post-load
- internal/auth/oidc/coverage_fill_test.go: TestTestDiscovery_AlgDowngradeDetected
  split into _HS256AlongsideRS256_BindsWithNote (positive, asserts note
  but no hard-fail) + _HSOnly_StillTrips_HardFail (intersection-empty).
- docs/operator/auth-threat-model.md: OIDC token-validation alg-allow-list
  section rewritten to call out the load-bearing-defense hierarchy
  (per-token pin first, IdP-bind check defense-in-depth) and document
  the v2.1.0 relaxation rationale.
- CHANGELOG.md: ### Security entry under Unreleased.

Verify: go test ./internal/auth/oidc/ -short PASS; gofmt clean; go vet
clean. The Keycloak integration tests should now pass when the operator
re-runs 'make keycloak-integration-test'.

internal/auth/oidc/coverage_fill_test.go

@@ -124,11 +124,13 @@ func TestTestDiscovery_HappyPath_AgainstMockIdP(t *testing.T) {
 	}
 }
 
-// TestTestDiscovery_AlgDowngradeDetected runs against a stub IdP that
-// advertises HS256 in id_token_signing_alg_values_supported. The
-// function MUST flag the downgrade attack vector in res.Errors but
-// MUST NOT short-circuit (per-leg observability is the contract).
-func TestTestDiscovery_AlgDowngradeDetected(t *testing.T) {
+// TestTestDiscovery_AlgDowngrade_HS256AlongsideRS256_BindsWithNote runs
+// against a stub IdP that advertises both HS256 + RS256 (Keycloak-shape).
+// Under v2.1.0-relaxed semantics this must SUCCEED (DiscoverySucceeded=true,
+// JWKSReachable=true) and surface only an informational note about the
+// weak-alg advertisement — NOT a hard "alg-downgrade defense tripped" error.
+// The per-token alg pin at sig-verify time remains the load-bearing defense.
+func TestTestDiscovery_AlgDowngrade_HS256AlongsideRS256_BindsWithNote(t *testing.T) {
 	svc := newServiceForUnitTest(t)
 	mux := http.NewServeMux()
 	srv := httptest.NewServer(mux)
@@ -156,15 +158,60 @@ func TestTestDiscovery_AlgDowngradeDetected(t *testing.T) {
 	if !res.DiscoverySucceeded {
 		t.Errorf("expected DiscoverySucceeded=true; got Errors=%v", res.Errors)
 	}
+	// The Keycloak-shape advertisement must NOT trip the hard fail.
+	for _, e := range res.Errors {
+		if strings.Contains(e, "alg-downgrade defense tripped") {
+			t.Errorf("v2.1.0-relaxed semantics: HS256+RS256 must NOT trip hard fail; got %q", e)
+		}
+	}
+	// Informational note must be present.
+	noteFound := false
+	for _, e := range res.Errors {
+		if strings.Contains(e, "note:") && strings.Contains(e, "HS256") {
+			noteFound = true
+		}
+	}
+	if !noteFound {
+		t.Errorf("expected informational note about HS256 in errors; got %v", res.Errors)
+	}
+}
+
+// TestTestDiscovery_AlgDowngrade_HSOnly_StillTrips_HardFail asserts the
+// pathological intersection-empty case still hard-fails.
+func TestTestDiscovery_AlgDowngrade_HSOnly_StillTrips_HardFail(t *testing.T) {
+	svc := newServiceForUnitTest(t)
+	mux := http.NewServeMux()
+	srv := httptest.NewServer(mux)
+	defer srv.Close()
+
+	mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(map[string]interface{}{
+			"issuer":                                srv.URL,
+			"authorization_endpoint":                srv.URL + "/authorize",
+			"token_endpoint":                        srv.URL + "/token",
+			"jwks_uri":                              srv.URL + "/jwks",
+			"id_token_signing_alg_values_supported": []string{"HS256", "HS384"}, // no RS
+		})
+	})
+	mux.HandleFunc("/jwks", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		_, _ = w.Write([]byte(`{"keys":[]}`))
+	})
+
+	res, err := svc.TestDiscovery(context.Background(), srv.URL)
+	if err != nil {
+		t.Fatalf("TestDiscovery: %v", err)
+	}
 	found := false
 	for _, e := range res.Errors {
-		if strings.Contains(e, "alg-downgrade defense tripped") && strings.Contains(e, "HS256") {
+		if strings.Contains(e, "alg-downgrade defense tripped") && strings.Contains(e, "only weak algorithms") {
 			found = true
 			break
 		}
 	}
 	if !found {
-		t.Errorf("expected alg-downgrade-tripped:HS256 in errors; got %v", res.Errors)
+		t.Errorf("expected hard-fail for HS-only IdP; got %v", res.Errors)
 	}
 }