Remove redundant 'openid' scope special case logic

The special case for adding 'openid' scope was redundant and could
potentially bypass client scope restrictions. The main loop already
correctly adds 'openid' to validScopes if it's in both requestedScopes
and allowedScopes.

Since 'openid' is already in the default scopes during client
configuration (SyncClientsFromConfig), it will be available for
clients that don't explicitly configure scopes. Clients can include
or exclude 'openid' in their allowedScopes as needed.

This ensures consistent enforcement of client scope restrictions
with no special-case bypasses.

Author: shreknel

internal/service/oidc_service.go

@@ -323,22 +323,6 @@ func (oidc *OIDCService) ValidateScope(client *model.OIDCClient, requestedScopes
 		}
 	}
 
-	// Only include "openid" if it was requested AND it's in the client's allowed scopes
-	// This respects client scope restrictions and doesn't bypass allowedScopes
-	if contains(requestedScopesList, "openid") && contains(allowedScopes, "openid") {
-		// Check if "openid" is already in validScopes (added by the loop above)
-		hasOpenID := false
-		for _, scope := range validScopes {
-			if scope == "openid" {
-				hasOpenID = true
-				break
-			}
-		}
-		if !hasOpenID {
-			validScopes = append(validScopes, "openid")
-		}
-	}
-
 	return validScopes, nil
 }