Introduce required_scopes as parameter for the authentication response

[GeorgDangl]

Some OAuth2 / Open ID Connect providers require that clients include a scope parameter when requesting an access token. It looks like all CDE servers can add a default one if none was included, but a new feature to include something like required_scopes (maybe even scoped by API?) could be added to the authorization endpoint, so that final responses could look like this:

{
    "oauth2_auth_url": "https://example.com/opencde/oauth2/auth",
    "oauth2_token_url": "https://example.com/opencde/oauth2/token",
    "oauth2_dynamic_client_reg_url": "https://example.com/opencde/oauth2/reg",
    "http_basic_supported": true,
    "supported_oauth2_flows": [
        "authorization_code_grant",
        "implicit_grant",
        "resource_owner_password_credentials_grant"
    ],
    "required_scopes": [{
        "api": "bcf",
        "scope": "bcf offline_access"
    }]
}

[ykulbak]

available_scopes is, in my opinion, a more descriptive name

[GeorgDangl]

For 1.x, we're relying on a manually process. That means, developers connecting to an OAuth2 capable server should find out the required scopes for the specific instance and handle it in their own code.

[ykulbak]

Sep 25th 2023, group discussion. See comment from the same date on #25