Hi, Sakit.
1. Yes, it is. It's done via custom authentication scripts functionality. You can check our [gplus](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/gplus) and [saml/asimba](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/asimba) auth scripts for examples, they both enroll users on the fly.
2. A proper implementation of password reset (with some kind of email confirmation, like it's usually done) would require you to write a separate specialized app which would communicate with your Gluu instance via SCIM (SCIM endpoints are protected by UMA) or by directly accessing Gluu's internal LDAP directory (if you store users' passwords there too). A very simple implementation could be done with custom auth scripts I've mentioned already
3. oxd is only capable of what is mentioned in docs, as of now. It handles authentication and authorization (if UMA is used) for your app, within limits defined by OIDC and UMA specs.