Allow encoding scope claims of oauth access token JWT (#4149)

* Refactor token decoding

* Add scope decoder to pds

* tidy

* tidy

* tidy

* tidy

* review changes

* Add scope normzlization utility

* wording in lexicon

* Add specific error

* style

* tidy

* Update `AccessTokenMode` enum values to be more meaningful

* tidy

* Update .changeset/brown-boxes-bow.md

Co-authored-by: devin ivy <[email protected]>

* Add retry strategy

* lint

* lint

---------

Co-authored-by: devin ivy <[email protected]>

Author: matthieusieben

.changeset/brown-boxes-bow.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-scopes": patch
+---
+
+Add scope normalization utility

.changeset/dry-crabs-help.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": minor
+---
+
+Update `AccessTokenMode` enum values to be more meaningful

.changeset/fast-glasses-matter.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": minor
+---
+
+Rename `SignedTokenPayload` to `AccessTokenPayload`

.changeset/four-kiwis-brake.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-scopes": minor
+---
+
+Method `authenticateRequest` now returns `SignedTokenPayload`

.changeset/nasty-needles-lie.md

@@ -0,0 +1,5 @@
+---
+"@atproto-labs/simple-store-redis": patch
+---
+
+Initial implementation of redis based `SimpleStore` implementation

.changeset/soft-countries-deny.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Add `onCreateToken` and `onDecodeToken` hooks to intercept access token JWT claims encoding/decoding

lexicons/com/atproto/temp/dereferenceScope.json

@@ -0,0 +1,39 @@
+{
+  "lexicon": 1,
+  "id": "com.atproto.temp.dereferenceScope",
+  "defs": {
+    "main": {
+      "type": "query",
+      "description": "Allows finding the oauth permission scope from a reference",
+      "parameters": {
+        "type": "params",
+        "required": ["scope"],
+        "properties": {
+          "scope": {
+            "type": "string",
+            "description": "The scope reference (starts with 'ref:')"
+          }
+        }
+      },
+      "output": {
+        "encoding": "application/json",
+        "schema": {
+          "type": "object",
+          "required": ["scope"],
+          "properties": {
+            "scope": {
+              "type": "string",
+              "description": "The full oauth permission scope"
+            }
+          }
+        }
+      },
+      "errors": [
+        {
+          "name": "InvalidScopeReference",
+          "description": "An invalid scope reference was provided."
+        }
+      ]
+    }
+  }
+}