authorize subsets of roles

- oauth clients can request a list of roles
- authorization will proceed with the _subset_ of those roles held by the user
- in the future, this subsetting will be refined to the scope level

examples/custom-scopes/jupyterhub_config.py

@@ -31,7 +31,13 @@ c.JupyterHub.load_roles = [
         "name": "grader",
         # grant graders access to write grades
         "scopes": ["custom:grades:write"],
-        "users": ["grader", "instructor"],
+        "users": ["grader"],
+    },
+    {
+        "name": "instructor",
+        # grant instructors access to read, but not write grades
+        "scopes": ["custom:grades:read"],
+        "users": ["instructor"],
     },
 ]