Bring back global default OIDCClientRegistrationToken

[ralfstrobel]

When the metadata directory with issuer-specific .conf files was introduced in 2014, the global OIDCClientRegistrationToken setting was removed. I assume the reasoning behind this was that in a multi-provider environment, you would typically require an individual bearer token for each one anyway.

However, we have a case where using the same global bearer token for each provider would actually be very useful: Our application is split into a large number of dynamically assigned sub-domains, each of which may act as its own identity provider. We would therefore like to combine both discovery and dynamic client registration, since we cannot feasibly create apache configuration for each sub-domain explicitly. At the same time, we would like to restrict client registration to our known apache servers and not leave it completely open. We currently achieve this by ip whitelisting, but using a centrally defined bearer token for all sub-domain applications would be the easier solution.

From what I can see in the code, the global default provider config could still easily hold a value for "registration_token". It is simply no longer assigned from the module config. So the change to re-introduce OIDCClientRegistrationToken should be minimal. Thank you!