[Security:medium] Redirection in OpenID Connect is granted by default if no URI defined in oidcRPMetaDataOptionsRedirectUris
When LL::NG is configured as OIDC provider and we declare an OIDC RP without configuring oidcRPMetaDataOptionsRedirectUris, the redirection to redirect_uri set by the RP is always granted.
The OpenID Connect core specification (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) says:
redirect_uri
REQUIRED. Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider
So I think we should return a BADURL error if no URL is configured in oidcRPMetaDataOptionsRedirectUris.