Selected OAuth2 scopes are not respected on authentication

[frol]

No matter which OAuth2 scopes are selected using checkboxes, the crafted request includes all of the available ones.

Steps to reproduce:

1. Open Petstore demo: http://petstore.swagger.io/
2. Click "Authorize" in the top right corner of the page
3. Select only one of the OAuth2 scopes, e.g. write:pets
4. Click "Authorize"

The result:

A new page is opened with the following URL: http://petstore.swagger.io/oauth/dialog?response_type=token&redirect_uri=http%3A%2F%2Fpetstore.swagger.io%2Fo2c.html&realm=your-realms&client_id=your-client-id&scope=write%3Apets%2Cread%3Apets&state=petstore_auth. The URL includes write:pets AND read:pets.

The expected result:

A new page is opened with the following URL: http://petstore.swagger.io/oauth/dialog?response_type=token&redirect_uri=http%3A%2F%2Fpetstore.swagger.io%2Fo2c.html&realm=your-realms&client_id=your-client-id&scope=write&state=petstore_auth. The URL includes ONLY write:pets.

I have tested the following Swagger-UI versions: 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, and the master branch. The bug has been always there!

NOTE: I would also like to express a desire to have a way to either toggle all scopes at once, or default them to all enabled by default, or even have a configuration to specify which scopes should be enabled by default.