refactor: Remove unnecessary user_oidc patch - CORSMiddleware patch is sufficient

Testing confirmed that the CORSMiddleware Bearer token patch (from upstream
commit 8fb5e77db82) alone is sufficient to enable Bearer token authentication
for all Nextcloud APIs, including app-specific endpoints like Notes and Calendar.

The user_oidc patch (which sets the app_api session flag) is not required when
the CORSMiddleware patch is applied, as it fixes the root cause by allowing
Bearer tokens to bypass CORS/CSRF checks at the framework level.

Validation:
- Restarted Nextcloud with user_oidc patch disabled
- Ran all 11 Keycloak integration tests
- All tests passed without the user_oidc patch

Updated documentation in 10-install-user_oidc-app.sh to explain why the patch
is no longer needed.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: cbcoutinho

app-hooks/post-installation/10-install-user_oidc-app.sh

@@ -15,4 +15,7 @@ php /var/www/html/occ config:system:set user_oidc httpclient.allowselfsigned --v
 # This enables user_oidc to fetch JWKS from internal Keycloak container
 php /var/www/html/occ config:system:set allow_local_remote_servers --value=true --type=boolean
 
-patch -u /var/www/html/custom_apps/user_oidc/lib/User/Backend.php -i /docker-entrypoint-hooks.d/patches/0001-Fix-Bearer-token-authentication-causing-session-logo.patch
+# Note: The user_oidc app_api session flag patch is NOT required when using the
+# CORSMiddleware Bearer token patch (20-apply-cors-bearer-token-patch.sh).
+# The CORSMiddleware patch fixes the root cause by allowing Bearer tokens to bypass
+# CORS/CSRF checks at the framework level.