Check scopes/authz before invoking user handler/eventbus address

[pmlopes]

OpenAPI module creates a router with security setup, however the way oauth2 works is that the requested scopes may be not be granted by the IdP so the returned token doesn't necessarely contain the required scopes.

We need to use the AuthorizationHandler before the user handler is called to ensure that the requested scopes are allowed.