Fix: OpenIdClientSettingsStep does not protect the client secret and throws null reference exceptions #18313

[mroskamp]

Fix issue where client secret was not being protected when set from OpenIdClientSettings recipe step. Fix null reference exception when Scope isn't specified in the recipe step. Fixes #18313

[Piedone]

Just to confirm: this PR is in draft, indicating that you aren't waiting for a review. Let us know once you're ready for review.

[sebastienros]

Could you add a new property to the viewmodel named ClientSecretPlainText that can contain the plaintext secret you would then protect like you did. This way we can reserve the ClientSecret property to use an actually protected value using custom recipe providers (js:, uuid, ...) named unprotect (out of scope for this PR). This ClientSecret could also be created during export then and would include a payload like "ClientSecret": "unprotect('super protected payload')"

One we have a secure solution we'll then be able to obsolete this "Plaintext" field.

[sebastienros]

Also since it's for setting up a new site, there is no really existing thing to export or protect, hence in this case a decrypt action that is independent from the data protector but uses a private key configured with the app would make more sense. Or we could have some utility to protect a payload from the app itself.