feat: support groups and preferred_username for staticPasswords

[Jabejixo]

Overview

Add support for groups and preferredUsername for statically configured users (staticPasswords) and propagate them through the local password DB connector into standard OIDC ID token claims.

What this PR does / why we need it

• Adds new optional config fields for staticPasswords:
  • groups: []string → OIDC groups claim (when groups scope is requested)
  • preferredUsername: string → OIDC preferred_username claim (when profile scope is requested)
• Persists these attributes in storage.Password and ensures all relevant storage backends handle them:
  • SQL storage (schema migration + CRUD)
  • Kubernetes storage types
  • ent-based storage (schema + regenerated code)
• Updates local password login/refresh so passwordDB returns connector.Identity with these fields set.
• Adds tests validating:
  • config parsing for the new fields
  • local passwordDB identity values
  • ID token contains preferred_username and groups for password grant with local connector (under appropriate scopes)
• Backward compatible:
  • existing configs without new fields keep working unchanged
  • existing databases are migrated in-place; defaults are handled for Postgres/SQLite/MySQL

Special notes for your reviewer

• This is intentionally not a generic “arbitrary claims map” mechanism; it adds only the missing standard claims needed for local/static users, in a way that is easy to extend later.
• SQL migrations include a MySQL-specific sequence to avoid DEFAULT on BLOB while still keeping groups non-null for existing rows.
• There is a small fix in SQL UpdatePassword: it now correctly writes updated groups (previously it used the old value).