Fix OIDC claims validation against undefined scopes variable

The authorize action called validate_claims_against_scopes with
requested_scopes before that local was assigned (assignment was ~100
lines later), raising NameError whenever a client passed a claims=
parameter. Move the scope normalization above the claims validation.

Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>

app/controllers/oidc_controller.rb

@@ -168,6 +168,12 @@ class OidcController < ApplicationController
       end
     end
 
+    # Normalize requested scopes to the set we support. Needed here so claims
+    # validation below can check claim→scope coverage against what will actually
+    # be granted.
+    requested_scopes = scope.split(" ") & SUPPORTED_SCOPES
+    scope = requested_scopes.join(" ")
+
     # Parse claims parameter (JSON string) for OIDC claims request
     # Per OIDC Core §5.5: The claims parameter is a JSON object that requests
     # specific claims to be returned in the id_token and/or userinfo
@@ -291,9 +297,6 @@ class OidcController < ApplicationController
       return
     end
 
-    requested_scopes = scope.split(" ") & SUPPORTED_SCOPES
-    scope = requested_scopes.join(" ")
-
     unless requested_scopes.include?("openid")
       error_uri = "#{redirect_uri}?error=invalid_scope&error_description=#{CGI.escape("The 'openid' scope is required")}"
       error_uri += "&state=#{CGI.escape(state)}" if state.present?