[wip] support JupyterHub access scopes

[minrk]

Draft because I'm not sure what the defaults/backward-compatiibility should be

Most details can be found in #829 but this would allow standard and more fine-grained control of access to the gateway service for tokens. The default is currently unchanged, for maximum compatibility.

To enable this with users being able to access this service by default from their server (minimal change from current default capabilities), a deployment needs to:

1. configure dask-gateway to know its service name (usually dask-gateway)
2. grant users the access:services!service=dask-gateway scope via the default user role (or a different role, if it should be less than all users, which is part of the point)
3. grant server tokens the same scope via the Spawner.server_token_scopes (or the server role, prior to JupyterHub 4.0)

The main idea of this is it enables both:

1. not all users have access to the gateway, and/or
2. not all tokens have access to the gateway

since as it is now, JupyterHubAuth grants any token provided to any jupyterhub service full access to the dask gateway.

TODO:

• decide on enabling by default
• docs for change, how to enable
• update tests
• update gateway chart? Maybe also daskhub chart?

closes #829

[minrk]

Also possibly relevant, since I don't know how dask-labextension works: Does the lab extension use the PageConfig.token to make requests directly to the Gateway, or does it make requests only to a server extension, which then uses $JUPYTERHUB_API_TOKEN? If it uses the jupyterlab token, the service access permission would also need to be granted to Spawner.oauth_client_allowed_scopes