mod_http_oauth2: Allow requesting a subset of scopes on token refresh This enables clients to request access tokens with fewer permissions than the grant they were given, reducing impact of token leak. Clients could e.g. request access tokens with some privileges and immediately revoke them after use, or other strategies.

This module discards typing notifications sent to a bare host JID,
preventing error replies to be sent. These errors are harmless but can
be annoying sometimes if your client shows them prominently.