Add support for configurable oAuth2 scopes

[loftux]

The oAuth2 scopes that Alfresco request from the authentication server needs to be configurable.
Currently hardcoded:
https://github.com/Alfresco/alfresco-community-repo/blob/master/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/IdentityServiceFacadeFactoryBean.java#L384

Explanation
Trying to implement oAuth2 with Authentik, https://goauthentik.io I got an error saying "ERROR [site.servlet.AIMSFilter] [http-nio-8080-exec-2] Resulted in Error while doing refresh token refreshToken cannot be null"
Tracked it down to that you have to grant the "offline_access" scope for Authentik to send it
goauthentik/authentik#8660
I assume this also means the client (Alfresco has to request it), bit that is currently not possible.

Side note: I think using Authentik can be a good reference implementation to test that Alfresco has good support for oAuth2, and not just with keycloak.

[loftux]

I noticed that "offline_access" is available here for Admin console

alfresco-community-repo/repository/src/main/java/org/alfresco/repo/security/authentication/identityservice/admin/IdentityServiceAdminConsoleAuthenticator.java

Line 74 in a73cf6a

private static final Set<String> SCOPES = Set.of("openid", "profile", "email", "offline_access");

I could get authentication to work for admin console, but not for anything more.

@damianujma for the ACS-6601

[loftux]

Maybe there is no need for a configurable setting for this, just add by default to IdentityServiceFacadeFactoryBean.
Not sure if there is a reason it is not there, that is why I'm not making a PR, maybe it does need to be omitted for other clients such as keycloak

Reference why I needed this change to get it to work with Authentik: https://docs.goauthentik.io/docs/providers/oauth2/#refresh_token

[loftux]

More references to "offline_access" are needed for the refresh token to be issued:

https://auth0.com/docs/secure/tokens/refresh-tokens/get-refresh-tokens
https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant
https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

interesting discussion manfredsteyer/angular-oauth2-oidc#1241 on how to interpret the standard.