[OAuth] Allow limiting scopes per application

Applications should have an optional list of scopes that clients are allowed to request. This is especially useful for the Client Credentials flow, where no user delegate is available to decide which scopes to allow.