[App2App] Scopes should be validated according to client type

[tung2744]

Assume AppA is authenticated, and AppB is not authenticated.

Currently, when appB tries to authenticated with app2app by AppA, the scopes of AppA's session will be inherited to appB's session. Therefore, say if AppA supports a scope that AppB doesn't support, that new AppB's session will get an incorrect scope.