mod_http_oauth2: Scope FIXMEs

mod_http_oauth2: Describe type signatures of scope handling functions

mod_http_oauth2: Allow requesting a subset of scopes on token refresh This enables clients to request access tokens with fewer permissions than the grant they were given, reducing impact of token leak. Clients could e.g. request access tokens with some privileges and immediately revoke them after use, or other strategies.

mod_http_oauth2: Enforce client scope restrictions in authorization When registering a client, a scope field can be included as a promise to only ever use those. Here we enforce that promise, if given, ensuring a client can't request or be granted a scope it didn't provide in its registration. While currently there is no restrictions at registration time, this could be changed in the future in various ways.

mod_http_oauth2: Fix inclusion of role in refreshed access tokens `refresh_token_info` does not carry the role, and due to behavior prior to prosody trunk rev a1ba503610ed it would have reverted to the users' default role. After that it instead issues a token without role which is thus not usable with e.g. mod_rest

mod_http_oauth2: Fix unintentional persistence

mod_auth_oauth_external: Update compatibility section with unknowns The PLAIN bits may very well work, it just needs async support

mod_auth_oauth_external: Also do XEP-0106 escaping in SASL OAUTHBEARER For consistency. The mangling should be made configurable in the future.

mod_auth_oauth_external: Stub not implemented auth module methods Not providing some of these may trigger errors on use, which is something that would be nice to fix on the Prosody side, one day.

mod_auth_oauth_external: Add Mastodon to README