Take into account scope from /privet/v3/auth call

For local case the scope was ignored. Behavior was similar to "auto" scope.

Change-Id: I6aabca13929d10101f5b350641aa6edd84d50a23
Reviewed-on: https://weave-review.googlesource.com/2880
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
diff --git a/src/privet/privet_handler.cc b/src/privet/privet_handler.cc
index 7afeb3b..97cacc5 100644
--- a/src/privet/privet_handler.cc
+++ b/src/privet/privet_handler.cc
@@ -713,6 +713,8 @@
     return ReturnError(*error, callback);
   }
 
+  CHECK_LE(access_token_scope, desired_scope);
+
   if (access_token_scope < acceptable_scope) {
     Error::AddToPrintf(&error, FROM_HERE, errors::kAccessDenied,
                        "Scope '%s' is not allowed",
diff --git a/src/privet/security_manager.cc b/src/privet/security_manager.cc
index 3b08613..3c11935 100644
--- a/src/privet/security_manager.cc
+++ b/src/privet/security_manager.cc
@@ -144,9 +144,11 @@
         return disabled_mode(error);
       const base::TimeDelta kTtl =
           base::TimeDelta::FromSeconds(kAccessTokenExpirationSeconds);
-      return auth_manager_->CreateAccessTokenFromAuth(
+      bool result = auth_manager_->CreateAccessTokenFromAuth(
           auth_code, kTtl, access_token, access_token_scope, access_token_ttl,
           error);
+      *access_token_scope = std::min(*access_token_scope, desired_scope);
+      return result;
   }
 
   return Error::AddTo(error, FROM_HERE, errors::kInvalidAuthMode,