OAuth2 handler should make client_id and scopes of the access token available to rules and headers
Summary
When using a OAuth2 handler, we can use variables in rules and headers that are based on all session attributes, but not on the incoming Access Token.
It should be possible to restrict access depending on granted scopes, and the API protected by the handler might want to log the client_id that the access token was issued for.