Remove insecure query parameter fallback for client credentials

The discovery document only advertises client_secret_basic and
client_secret_post as supported authentication methods. Query parameters
are insecure because they are:
- Logged in access logs
- Stored in browser history
- Exposed in referrer headers

This fix removes the query parameter fallback, ensuring client secrets
are only accepted via:
- Authorization header (client_secret_basic)
- POST form body (client_secret_post)

This aligns the implementation with the advertised capabilities and
prevents client secret exposure through query strings.

internal/controller/oidc_controller.go

@@ -384,7 +384,7 @@ func (controller *OIDCController) tokenError(c *gin.Context, errorCode string, e
 }
 
 func (controller *OIDCController) getClientCredentials(c *gin.Context) (string, string, error) {
-	// Try Basic Auth first
+	// Try Basic Auth first (client_secret_basic)
 	authHeader := c.GetHeader("Authorization")
 	if strings.HasPrefix(authHeader, "Basic ") {
 		encoded := strings.TrimPrefix(authHeader, "Basic ")
@@ -397,20 +397,15 @@ func (controller *OIDCController) getClientCredentials(c *gin.Context) (string,
 		}
 	}
 
-	// Try POST form parameters
+	// Try POST form parameters (client_secret_post)
 	clientID := c.PostForm("client_id")
 	clientSecret := c.PostForm("client_secret")
 	if clientID != "" && clientSecret != "" {
 		return clientID, clientSecret, nil
 	}
 
-	// Try query parameters
-	clientID = c.Query("client_id")
-	clientSecret = c.Query("client_secret")
-	if clientID != "" && clientSecret != "" {
-		return clientID, clientSecret, nil
-	}
-
+	// Do not accept credentials via query parameters as they are logged
+	// in access logs, browser history, and referrer headers
 	return "", "", fmt.Errorf("client credentials not found")
 }