oauth2 flow_refresh_test: Add unit tests for optional 'scope' param

Updating our OAuth2 token refresh handler tests to completely ignore
the **Client Scopes** and **Originally Requested Scopes**. Instead,
the originally granted scopes should be the only scopes validated
against.

Also adding some tests to validate the optional 'scope' parameter,
as outlined in https://www.rfc-editor.org/rfc/rfc6749#section-6

Note that this implementation returns an ErrInvalidScope if the
'scope' form parameter is defined but empty.