fix(validation): allow RFC 6749 VSCHAR characters in client_id and client_secret

[tony-engineering]

Summary

I'm trying to automate OIDC clients provisioning in Nextcloud and hit a wall, took me some time to understand issue. I was generating client id and secrets with the terminal, but realized that the implementation of the oidc plugin is too restrictive. Here is my proposal.

The current validation in oidc:create and SettingsController.addClient() restricts client_id and client_secret to [A-Za-z0-9] characters only.

RFC 6749 (OAuth 2.0) Appendix A https://datatracker.ietf.org/doc/html/rfc6749#appendix-A defines both as *VSCHAR (any printable ASCII, %x20-7E). The only character that must be excluded is : (colon), which is the Basic auth username/password separator per RFC 7617.

The current restriction breaks interoperability with any credential generator that follows standard naming conventions (e.g. myapp-service, UUIDs, hyphenated identifiers). The failure mode is particularly opaque: the CLI rejects the credential at creation time with a non-obvious error message, and if a credential somehow reaches the token endpoint with a non-alphanumeric character, Nextcloud logs a generic Login failed with no indication of the root cause.

Changes

• Relax the validation regex in lib/Command/Clients/OIDCCreate.php and lib/Controller/SettingsController.php from /^[A-Za-z0-9]{32,64}$/ to VSCHAR minus : and space: /^[\x21-\x39\x3B-\x7E]{32,64}$/
• Update error messages accordingly
• Add unit tests for credentials containing -, _, . (should pass) and : (should fail)

Impact

No existing credentials are affected - the alphanumeric subset is fully contained within the new character set. The 32-64 length requirement is preserved as a security floor.

[H2CK]

Thanks for your contribution. Please have a look at the further comments which are all related to the test execution and solve the problems.
The other changes are in general fine for me.