fix: tighten openid-connect-php constraint to ^1.0.2 (SEC_REVIEW F23)

The previous `^1.0` constraint matched v1.0.0 / v1.0.1, which carry
the iss-confusion advisory fixed in v1.0.2. `composer.lock` already
resolved to v1.0.2 in practice, but a future `composer update` would
have been free to drift backwards within the major. The new
`^1.0.2 || ^2.0` constraint floors the line at the patched release
while preserving an upgrade path to a future v2.x.

`composer audit --no-dev` was already wired into `scripts/ci.sh` for
both api and ui, so any new advisory against the locked version
fails CI.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ui/composer.json

@@ -16,7 +16,7 @@
         "slim/twig-view": "^3.4",
         "twig/twig": "^3.8",
         "guzzlehttp/guzzle": "^7.8",
-        "jumbojett/openid-connect-php": "^1.0",
+        "jumbojett/openid-connect-php": "^1.0.2 || ^2.0",
         "monolog/monolog": "^3.5",
         "php-di/php-di": "^7.0"
     },

ui/composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "175f58ab4f32914da59ad61251cafd97",
+    "content-hash": "681943465d12c51ffeb14f5ba3e8824e",
     "packages": [
         {
             "name": "fig/http-message-util",