fix: append .well-known/openid-configuration to issuerUri in token exchanger

OidcTokenExchanger fetched the discovery document from the issuerUri
as-is, but the database stores the issuer URI (e.g. /oidc), not the
full discovery URL. Logto returns 404 for the bare issuer path.
SecurityConfig already appended the well-known suffix — now the token
exchanger does the same.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java

@@ -198,10 +198,10 @@ public class OidcTokenExchanger {
         if (providerMetadata == null || !issuerUri.equals(cachedIssuerUri)) {
             synchronized (this) {
                 if (providerMetadata == null || !issuerUri.equals(cachedIssuerUri)) {
-                    // Fetch the discovery document from the URI as-is — do not append
+                    String discoveryPath = issuerUri.endsWith("/")
-                    // .well-known/openid-configuration automatically, the user provides
+                            ? issuerUri + ".well-known/openid-configuration"
-                    // the complete URL.
+                            : issuerUri + "/.well-known/openid-configuration";
-                    URL discoveryUrl = new URI(issuerUri).toURL();
+                    URL discoveryUrl = new URI(discoveryPath).toURL();
                     try (InputStream in = InsecureTlsHelper.openStream(discoveryUrl, securityProperties.isOidcTlsSkipVerify())) {
                         JSONObject json = (JSONObject) new JSONParser(JSONParser.DEFAULT_PERMISSIVE_MODE)
                                 .parse(in);