make secure / non-secure callbackURL selectable per provider

some providers require redirectURIs to start with `https`, some don't. The current implementation lets you decide, which serverBaseUrl to use - and prefixes all callbackURL properties with that base url.
In some scenarios, it might be helpful to differ this setting on provider level.
