Assumptions on request scopes behavior

[CallRouterAuthorize](https://github.com/myndocs/kotlin-oauth2-server/blob/develop/oauth2-server-core/src/main/java/nl/myndocs/oauth2/grant/CallRouterAuthorize.kt#L47) is making the assumption, that if no scopes are provided that all scopes should be requested.

This is up to the implementor how to act on this. 