Intrinsic scopes may cause creation of unnecessary new authorizations

[mike-marcacci]

The refresh token logic is supposed to work as follows:

1. validate the request/refresh token
2. look for an existing active authorization tied to the grant with the same scopes
3. if none exists, create a new authorization
4. generate a token from that authorization

It appears that intrinsic scopes may not be factored into the comparison, such that when the requested scopes do not include the intrinsic scope, a new authorization can get created unnecessarily.