tokenserver: Allow customizing list of OAuth scopes to use for CRL fetch.

tokenserver/appengine/impl/certconfig/rpc_fetch_crl.go

Index: tokenserver/appengine/impl/certconfig/rpc_fetch_crl.go
diff --git a/tokenserver/appengine/impl/certconfig/rpc_fetch_crl.go b/tokenserver/appengine/impl/certconfig/rpc_fetch_crl.go
index 621e4f43ed4247757b86ab07fbd5f5ecda078a40..9e3c4f7c415425c00c63a7b7568284a3971823ec 100644
--- a/tokenserver/appengine/impl/certconfig/rpc_fetch_crl.go
+++ b/tokenserver/appengine/impl/certconfig/rpc_fetch_crl.go
@@ -35,8 +35,9 @@ import (
 	"github.com/luci/luci-go/tokenserver/api/admin/v1"
 )
 
-// List of OAuth scopes to use for token sent to CRL endpoint.
-var crlFetchScopes = []string{
+// List of OAuth scopes to use for token sent to CRL endpoint if config doesn't
+// specify 'oauth_scopes' field.
+var crlFetchDefaultScopes = []string{
 	"https://www.googleapis.com/auth/userinfo.email",
 }
 
@@ -112,7 +113,13 @@ func fetchCRL(c context.Context, cfg *admin.CertificateAuthorityConfig, knownETa
 	// Pick auth or non-auth transport.
 	var transport http.RoundTripper
 	if cfg.UseOauth {
-		transport, err = auth.GetRPCTransport(c, auth.AsSelf, auth.WithScopes(crlFetchScopes...))
+		var scopes []string
+		if len(cfg.OauthScopes) != 0 {
+			scopes = cfg.OauthScopes
+		} else {
+			scopes = crlFetchDefaultScopes
+		}
+		transport, err = auth.GetRPCTransport(c, auth.AsSelf, auth.WithScopes(scopes...))
 	} else {
 		transport, err = auth.GetRPCTransport(c, auth.NoAuth)
 	}