Support OIDC custom scope as an option in forgotten password (recovery) OAUTH config.

[Olethros]

Is your feature request related to a problem? Please describe.

The forgotten password feature lacks a scope option in the OAUTH config. This is missing in the UI and also in the code in OAuthSettings.java where these settings are actually read by PWM

It is increasingly common that federation is via OIDC which requires a scope in addition. This use case is addressed for regular "logged in" PWM usage, but not for recovery/forgotten password scenario.

Describe the solution you'd like

In PwmSetting.java add a a config option for recovery scope

RECOVERY_ID_SCOPE( "recovery.oauth.idserver.scope", PwmSettingSyntax.STRING, PwmSettingCategory.RECOVERY_OAUTH ),

In PwmSetting.java add a a config option for recovery scope

RECOVERY_ID_SCOPE( "recovery.oauth.idserver.scope", PwmSettingSyntax.STRING, PwmSettingCategory.RECOVERY_OAUTH ),

In OAuthSettings.java add

.scope( config.readSettingAsString( PwmSetting.OAUTH_ID_SCOPE ) )

And any other changes as required to handle this new value elsewhere (couldn't see that there was much else, but not a Java coder)

Describe alternatives you've considered Another alternative might be that if absent, the scope is inherited from that specified in the regular OAUTH settings, but that could be quite confusing.

Additional context We have had to make do at customers using SSPR by utilizing an external OAUTH to OIDC bridge to make this work, but would be far nicer to see this offered in the primary PWM (and SSPR) code. It also reduces the complexity of our overall solution and the potential attack surface if it could be directky integrated into PWM.