feat: allow scopes for self signed jwt

[arithmetic1728]

This doc implements https://google.aip.dev/auth/4111. Internal doc: go/yoshi-self-signed-jwt-phase-2.

The main feature here is now we can use scope claim in self signed JWT.

This PR does the following 2 things:
(1) Add always_use_jwt_access property to service account credentials to allow opt-in for the feature.
(2) If always_use_jwt_access is True, then apply the following logic. If alwaysUseJwtAccess is False, the logic is the same as before; if True, then we can always use self signed jwt with scopes or audience.

if (alwaysUseJwtAccess):
    if (scope):
        // create a self signed JWT with "scope" set to the scope
    else if (audience):
        // create a self signed JWT with "aud" set to the audience
    else if (defaultScope):
        // create a self signed JWT with "scope" set to the defaultScope
else:
    if (scope):
        // call OAuth token endpoint
    else if (audience):
        // create a self signed JWT with audience
    else if (defaultScope):
        // call OAuth token endpoint

This PR has been tested with python-kms, googleapis/python-kms#122

The follow up PR in python microgenerator is: googleapis/gapic-generator-python#920

[busunkim96]

I think the way google-api-core is written it will always pass through an audience. https://github.com/googleapis/python-api-core/blob/155da5e18cc2fdcfa57de6f956b7d078e79cd4b7/google/api_core/grpc_helpers.py#L249-L251 and the elif self._default_scopes case will never be reached.

Is it necessary to distinguish between the "default" audience and a user defined audience? It looks like Cody asked a question about this in the doc as well.

[arithmetic1728]

I think it is fine that self._default_scopes is never reached. We can just leave it here for logic completeness.

We don't need to distinguish a default audience and a user defined audience. If the user doesn't provide the scope but provides the audience, then they are responsible that the audience is correct.