mod_http_oauth2: Fix schema to enforce at least one redirect URI minLength is for strings

mod_http_oauth2: Show only roles the user can use in consent dialog Confusing if it shows you roles you can't use.

mod_http_oauth2: Reference grant by id instead of value Fixes that the grant got mutated on use of refresh token, notably it would gain 'id' and 'jid' properties set there by mod_tokenauth. Previously also the secret token that we should not be remembering.

mod_http_oauth2: Scope FIXMEs

mod_http_oauth2: Describe type signatures of scope handling functions

mod_http_oauth2: Allow requesting a subset of scopes on token refresh This enables clients to request access tokens with fewer permissions than the grant they were given, reducing impact of token leak. Clients could e.g. request access tokens with some privileges and immediately revoke them after use, or other strategies.

mod_http_oauth2: Enforce client scope restrictions in authorization When registering a client, a scope field can be included as a promise to only ever use those. Here we enforce that promise, if given, ensuring a client can't request or be granted a scope it didn't provide in its registration. While currently there is no restrictions at registration time, this could be changed in the future in various ways.

mod_http_oauth2: Fix inclusion of role in refreshed access tokens `refresh_token_info` does not carry the role, and due to behavior prior to prosody trunk rev a1ba503610ed it would have reverted to the users' default role. After that it instead issues a token without role which is thus not usable with e.g. mod_rest

mod_http_oauth2: Fix unintentional persistence

mod_auth_oauth_external: Update compatibility section with unknowns The PLAIN bits may very well work, it just needs async support