feat: skip nonce check for Facebook Limited Login auth (#2082)

## What kind of change does this PR introduce?

nonce matching isn't supported for facebook limited login, skipping it
during OIDC login. finalizes #2046

Author: cemalkilic

internal/api/token_oidc.go

@@ -78,6 +78,8 @@ func (p *IdTokenGrantParams) getProvider(ctx context.Context, config *conf.Globa
 
 	case p.Provider == "facebook" || p.Issuer == provider.IssuerFacebook:
 		cfg = &config.External.Facebook
+		// Facebook (Limited Login) nonce check is not supported
+		cfg.SkipNonceCheck = true
 		providerType = "facebook"
 		issuer = provider.IssuerFacebook
 		acceptableClientIDs = append(acceptableClientIDs, config.External.Facebook.ClientID...)

internal/conf/configuration.go

@@ -59,13 +59,15 @@ func (t *Time) UnmarshalText(text []byte) error {
 
 // OAuthProviderConfiguration holds all config related to external account providers.
 type OAuthProviderConfiguration struct {
-	ClientID       []string `json:"client_id" split_words:"true"`
-	Secret         string   `json:"secret"`
-	RedirectURI    string   `json:"redirect_uri" split_words:"true"`
-	URL            string   `json:"url"`
-	ApiURL         string   `json:"api_url" split_words:"true"`
-	Enabled        bool     `json:"enabled"`
-	SkipNonceCheck bool     `json:"skip_nonce_check" split_words:"true"`
+	ClientID    []string `json:"client_id" split_words:"true"`
+	Secret      string   `json:"secret"`
+	RedirectURI string   `json:"redirect_uri" split_words:"true"`
+	URL         string   `json:"url"`
+	ApiURL      string   `json:"api_url" split_words:"true"`
+	Enabled     bool     `json:"enabled"`
+	// SkipNonceCheck bypasses nonce verification during OIDC token validation.
+	// Note: Nonce verification helps prevent replay attacks; only disable when necessary.
+	SkipNonceCheck bool `json:"skip_nonce_check" split_words:"true"`
 }
 
 type AnonymousProviderConfiguration struct {