mod_http_oauth2: Allow requesting a subset of scopes on token refresh This enables clients to request access tokens with fewer permissions than the grant they were given, reducing impact of token leak. Clients could e.g. request access tokens with some privileges and immediately revoke them after use, or other strategies.

# mod_tos

A very drafty module to implement some kind of Terms of Service acceptance
tool.

Currently, this only works with clients implementing this very drafty
protocol. The result of the experiments will be an update to the
[ToS ProtoXEP](https://xmpp.org/extensions/inbox/tos.html), with the goal
of acceptance.