Device code obey scopes

[amanning9]

Description of the Change

The new device code grant does not give the resulting token the scopes that were asked for. This PR fixes that bug and adds a test.

I'm not /completely/ sure that I've fixed it in the correct place- If There is a better way or place to fix the problem please let me know.

Checklist

• PR only contains one change (considered splitting up PR)
• unit-test added
• documentation updated
• CHANGELOG.md updated (only for user relevant changes)
• author name in AUTHORS
• tests/app/idp updated to demonstrate new features
• tests/app/rp updated to demonstrate new features

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[dopry]

@amanning9 this generally looks right... to help make yourself more confident and assist me in validating could you help me understand how we are using set_oauthlib_user_to_device_request_user upstream? Do all the contexts in which is it used make sense to also set scope? Maybe we should rename it if we're setting both user and scope? Should request.scope even be set or should developer be loading the device grant or token to lookup the scope?