Properly implement the OAuth2SecurityScheme

[benfrancis]

Currently Thing Descriptions claim that WebThings Gateway implements the OAuth2SecurityScheme. However, I've noticed that this is not fully implemented in the way that third party services might expect.

For example it should be possible to:

• Authenticate arbitrary web services with the gateway, by prompting a user for their username and password (see OAuth Third-party registration #340)
• Issue both API access tokens with an expiry date (see Token expiry  #133), and refresh tokens (see OAuth Authorization Grants and JWT Expiry #339)
• Support more granular permissions (see Oauth read/write separate permissions for each thing #1678)
• Revoke refresh tokens
• Support security bootstrapping (respond with the correct 302 or 303 response which redirects to the authentication endpoint, rather than 401)

There are also some strange implementation details in the way JWTs are used, like kid headers being used to identify individual JWTs, instead of a jti in the JWT payload.

The current implementation provided by the gateway is more like the simpler BearerSecurityScheme.