Merge main: integrate OIDC metadata caching with latest main branch features

- Preserved production-grade OIDC metadata caching implementation
- Added support for multiple JWT audiences from main branch
- Updated function signatures to match main (process_oidc_callback, get_authenticated_user_info)
- Added handle_authenticated_oidc_callback support for already-authenticated users
- Maintained async caching functionality with proper HTTP client access
- Resolved all merge conflicts while keeping both new features and security fixes

Author: cursoragent

CHANGELOG.md

@@ -48,6 +48,7 @@
     EXECUTE dbo.proc1 DEFAULT
     ```
 - The file-based routing system was improved. Now, requests to `/xxx` redirect to `/xxx/` only if `/xxx/index.sql` exists.
+- fix: When single sign on is enabled, and an anonymous user visits a page with URL parameters, the user is correctly redirected to the page with the parameters after login.
 
 ## v0.35.2
  - Fix a bug with zero values being displayed with a non-zero height in stacked bar charts.

Cargo.lock

@@ -31,6 +31,7 @@ Here are the available configuration options and their default values:
 | `oidc_client_id`                             | sqlpage                                                   | The ID that identifies your SQLPage application to the OIDC provider. You get this when registering your app with the provider. |
 | `oidc_client_secret`                         |                                                           | The secret key for your SQLPage application. Keep this confidential as it allows your app to authenticate with the OIDC provider. |
 | `oidc_scopes`                                | openid email profile                                      | Space-separated list of [scopes](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) your app requests from the OIDC provider. |
+| `oidc_additional_trusted_audiences`          | unset                                                        | A list of additional audiences that are allowed in JWT tokens, beyond the client ID. When empty or unset, any additional audience is accepted. For increased security, set to an empty list `[]` to only allow the client ID as audience. |
 | `max_pending_rows`                            | 256                                                         | Maximum number of rendered rows that can be queued up in memory when a client is slow to receive them. |
 | `compress_responses`                          | true                                                        | When the client supports it, compress the http response body. This can save bandwidth and speed up page loading on slow connections, but can also increase CPU usage and cause rendering delays on pages that take time to render (because streaming responses are buffered for longer than necessary). |
 | `https_domain`                                |                                                             | Domain name to request a certificate for. Setting this parameter will automatically make SQLPage listen on port 443 and request an SSL certificate. The server will take a little bit longer to start the first time it has to request a certificate.  |