support refresh token scopes

[nrwiersma]

While oAuth2 does not require scope on a refresh, OIDC can support this (seems to be a mixed bag on this). As this library is largely used for OIDC it would be good to support this use case.

[google-cla[bot]]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gopherbot]

This PR (HEAD: a1052cbd6a934917c7b39c54503073dc5b60446d) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/oauth2/+/421174 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off) See the Wiki page for more info

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

Congratulations on opening your first change. Thank you for your contribution!

Next steps: A maintainer will review your change and provide feedback. See https://go.dev/doc/contribute#review for more info and tips to get your patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be surprising to people new to the project. The careful, iterative review process is our way of helping mentor contributors and ensuring that their contributions have a lasting impact.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/421174. After addressing review feedback, remember to publish your drafts!

[vijaytdh]

👍 It would be great if this is reviewed and eventually merged as there are a number of similar PRs from people affected by this issue with the refresh token and scopes.