Productize app tokens for service integration

[butonic]

We have an initial implementation for app tokens, but it is disabled by default and marked as experimental.

App tokens are intended to be generated by end users so they can integrate legacy tools that do not support OIDC. However, the current implementation cannot scope the token which is one of the reasons why we marked this as experimental.

There is another use case that we can productize already. The admin can generate app tokens for system accounts used by external services that can then interact with the graph api, e.g. to manage space membership.

The latter does not need to expose the token generation endpoint, as only admins can generate tokens. A PR for the helm chart that adds this as a feature is in owncloud/ocis-charts#767

[butonic]

cc @tbsbdr @dragotin @micbar @wkloucek

The code to support this scope / use case is implemented and documented but needs a security review.

[tbsbdr]

@micbar @dragotin I consider app tokens to be extremely important. I propose to scope app tokens for the next qa-sprint (from what we know as of today: do we still need development or solely security-qa?) do you agree to scope app tokens in the next sprint?

[micbar]

• Needs a security review.