completeLogin

suspend fun completeLogin(redirectUri: String)

Completes the OAuth login flow after the browser redirects back.

Validates the state parameter matches.
Validates the iss parameter matches the discovered auth server.
Exchanges the authorization code for tokens with PKCE + DPoP.
Verifies the sub (DID) in the token response matches the resolved DID from discovery.
Persists the session.

redirectUri

The full redirect URI from the browser callback (e.g. myapp://oauth/callback?code=...&state=...&iss=...).