auth: Allow getting session and access token with custom scope

[alexweininger]

Changes are pulled from @JasonYeMSFT's original PR #1643. Jason needs this change to support a feature in the Databases extension.

Creating as a draft because this code change still breaks some things.

Known breakages:

1. Breaks zip deploy. Fixed in the appservice shared package by 751ee12
2. Zip deploying to a function/app service app in a sovereign cloud. (along with all other kudu operations like viewing deployments and logs) Fixed in the azure shared package by appservice: Use management endpoint for all kudu calls #1677

[alexweininger]

@bwateratmsft I'm investigating this, but would appreciate some help figuring out why this would break zip deploy for sovereign clouds.

[alexweininger]

I found that the access token audiences are different between the working and broken access tokens.

Broken access token audience: “https://management.chinacloudapi.cn\” (resource manager endpoint)
Working access token audience: “https://management.core.chinacloudapi.cn\” (management endpoint)

That's probably the issue, now on to fixing it...

[alexweininger]

Looks like I already investigated and found out about the endpoint difference in December #1637

However, that was changing the default if no scopes were passed. This change makes it so scopes will be respected, but now the wrong scopes are being passed in 🙃

[alexweininger]

See #1670 for details on how I fixed the sovereign cloud issue. Once #1670 is merged and released, we'll be good to merge this too.

[alexweininger]

Ok so #1670 broke a bunch of other stuff so #1677 is the actual fix that doesn't break everything! 😄