[DOCS] Bug in OAuth2 instructions - mixup between scope and audience?

[devinbost]

On the page https://github.com/streamnative/kop/blob/master/docs/security.md#oauthbearer, it shows an example client configuration of scope equaling api://pulsar-cluster-1/.default and audience equaling https://broker.example.com. However, RFC-6749 section 3.3 indicates that the Access Token Scope parameter ("scope") is to inform the authorization server of the authorization scope requested by the client. (A given access token can carry multiple scopes, as explained here: https://community.auth0.com/t/understanding-how-the-audience-concept-actually-works/34011/3 ) The syntax in the KoP doc for the scope example, api://pulsar-cluster-1/.default, appears more like what I'd expect the audience parameter value to look like since audience is a resource identifier that is unique to the token. In the example in the KoP doc, https://broker.example.com is not something that would be unique to a token.