Prevent spamming emails by reusing client secret
Generate a client secret in the Signup class (if we don't already
have one) and re-usae it for subsequent attempts to register,
that way the IS can honour the sendAttempt flag and not re-send
the email if we're just retrying and requestToken becomes
idempotent.
