implement access scopes

- access:services for services
- access:users:servers for servers
- tokens automatically have access to their issuing client (if their owner does, too)
- Check access scope in HubAuth integration

examples/service-notebook/external/shared-notebook-service

@@ -1,9 +1,11 @@
 #!/bin/bash -l
 set -e
 
-export JUPYTERHUB_API_TOKEN=super-secret
+# these must match the values in jupyterhub_config.py
+export JUPYTERHUB_API_TOKEN=c3a29e5d386fd7c9aa1e8fe9d41c282ec8b
 export JUPYTERHUB_SERVICE_URL=http://127.0.0.1:9999
 export JUPYTERHUB_SERVICE_NAME=shared-notebook
+export JUPYTERHUB_SERVICE_PREFIX="/services/${JUPYTERHUB_SERVICE_NAME}/"
+export JUPYTERHUB_CLIENT_ID="service-${JUPYTERHUB_SERVICE_NAME}"
 
-jupyterhub-singleuser \
-    --group='shared'
+jupyterhub-singleuser