Allow scopes to be non-empty for all security scheme types

[kota65535]

In OpenAPI Specification 3.0.x, the list of scope names of Security Requirement Object MUST be empty if the security scheme type is other than oauth2 or openIdConnect. But in 3.1.0, now it MAY contain role names which are required for the execution.

• In 3.0.3

For other security scheme types, the array MUST be empty.

• In 3.1.0:

For other security scheme types, the array MAY contain a list of role names which are required for the execution, but are not otherwise defined or exchanged in-band.