Fix middleware order - place Authentication before TenantValidation

The JWT middleware needs to fetch signing keys from Keycloak before
tenant validation runs. The previous order caused signature validation
to fail because the middleware was blocking the JWKS endpoint requests.

- Moved Authentication before TenantValidationMiddleware
- Removed realm endpoint from exemption list (not needed with correct order)
- This allows JWT middleware to fetch signing keys and validate tokens

backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs

@@ -22,10 +22,11 @@ public class TenantValidationMiddleware
             return;
         }
 
-    // Exempt bootstrap, admin, and debug endpoints from tenant validation
+    // Exempt bootstrap, admin, debug, and Keycloak OIDC endpoints from tenant validation
     if (context.Request.Path.StartsWithSegments("/api/clubs/me") ||
         context.Request.Path.StartsWithSegments("/api/admin") ||
-        context.Request.Path.StartsWithSegments("/api/debug"))
+        context.Request.Path.StartsWithSegments("/api/debug") ||
+        context.Request.Path.StartsWithSegments("/realms"))
     {
       _logger.LogInformation("TenantValidationMiddleware: Exempting {Path} from tenant validation", context.Request.Path);
       await _next(context);

backend/WorkClub.Api/Program.cs

@@ -147,9 +147,12 @@ app.UseHttpsRedirection();
 
 app.UseCors("AllowFrontend");
 
+// IMPORTANT: Order matters! 
+// 1. Authentication must come before tenant validation so JWT middleware can fetch JWKS
+// 2. Tenant validation should come after auth but before endpoints
 app.UseAuthentication();
-app.UseAuthorization();
 app.UseMiddleware<TenantValidationMiddleware>();
+app.UseAuthorization();
 app.UseMiddleware<MemberSyncMiddleware>();
 
 app.MapHealthChecks("/health/live", new Microsoft.AspNetCore.Diagnostics.HealthChecks.HealthCheckOptions