store scopes on oauth clients, too

rather than roles, matching tokens

because oauth clients are mostly involved with issuing tokens,
they don't have roles themselves (their owners do).

This deprecates the `oauth_roles` config on Spawners and Services, in favor of `oauth_allowed_scopes`.

The ambiguously named `oauth_scopes` is renamed to `oauth_access_scopes`.

examples/custom-scopes/jupyterhub_config.py

@@ -7,7 +7,10 @@ c.JupyterHub.services = [
         'name': 'grades',
         'url': 'http://127.0.0.1:10101',
         'command': [sys.executable, './grades.py'],
-        'oauth_roles': ['grader'],
+        'oauth_allowed_scopes': [
+            'custom:grades:write',
+            'custom:grades:read',
+        ],
     },
 ]
 

examples/service-whoami/README.md

@@ -26,7 +26,7 @@ After logging in with any username and password, you should see a JSON dump of y
 ```
 
 What is contained in the model will depend on the permissions
-requested in the `oauth_roles` configuration of the service `whoami-oauth` service.
+requested in the `oauth_allowed_scopes` configuration of the service `whoami-oauth` service.
 The default is the minimum required for identification and access to the service,
 which will provide the username and current scopes.
 

examples/service-whoami/jupyterhub_config.py

@@ -14,11 +14,11 @@ c.JupyterHub.services = [
         # only requesting access to the service,
         # and identification by name,
         # nothing more.
-        # Specifying 'oauth_roles' as a list of role names
+        # Specifying 'oauth_allowed_scopes' as a list of scopes
         # allows requesting more information about users,
         # or the ability to take actions on users' behalf, as required.
-        # The default 'token' role has the full permissions of its owner:
-        # 'oauth_roles': ['token'],
+        # the 'inherit' scope means the full permissions of the owner
+        # 'oauth_allowed_scopes': ['inherit'],
     },
 ]