Issue #2971579: Make 'password grant' restrict not only to scope but also to user roles