Added ability to restrict scopes for a client

[robbytaylor]

This is a partial fix for #691.

With this change the scopes which a client can issue tokens for is limited to it's own array of scopes. This allows scopes to be used to protect internal machine-to-machine requests from being accessed by users with valid password grant tokens.

This adds functionality which exists in other PHP OAuth server implementations. e.g. https://bshaffer.github.io/oauth2-server-php-docs/overview/scope:

The scope(s) available to a client are controlled by a combination of the scope field in the client storage, and the list of scopes available, as defined in the scope storage.

When the client has a list of scopes configured alongside it, the client is restricted to use only those scopes. When there are no scopes configured, the client is not restricted in what scopes it may use, it is able to use all scopes available within the authorization server.

This implementation behaves in the same way.

One thing I noticed is that following #729 the migration to create the oauth_clilents table hasn't been updated to include the grant_types column. If this PR gets merged I'll therefore do another PR to add both the grant_types and scopes columns, if that's helpful.

[taylorotwell]

It feels like we are adding all kinds of code before addressing my original question and simple solution in the original PR? I would like to see that discussed first and then we can re-visit these.