[Option] Authorization denied for unallowed scopes

[peppelinux]

This PR would introduce something heavy but, in some case, useful.
Which those present some faulty RP/Client/RS where the token were not succesfully checked against the scopes for which the token was release for.

The option deny_unknown_scopes force the Authz endpoint (both OAuth2 and OIDC) to return a invalid_scope error message, with http status 400.

Configuration can be made as follow

op:
  server_info:
    issuer: *base_url
    httpc_params:
      verify: False
    session_key:
      filename: data/oidc_op/private/session_jwks.json
      type: OCT
      use: sig
    capabilities:
      # indicates that unknow/unavailable scopes requested by a RP
      # would get a 400 error message instead of be declined implicitly.
      # If False the op will only release the available scopes and ignoring the missings.
      # Default to False
      deny_unknown_scopes: true

This PR is a WiP that follows #73

[rohe]

Fine