This change attempts to reduce startup time by generating OAuth2 tokens

only when first needed by the application, instead of when the scope

dictionary is first being set up. A few changes were made in order to

help reduce the overhead.
First, WebAPIScopeDictionary is no longer a dict that self-populates

when constructed, and its contents are no longer manually added/removed

as extensions are enabled/disabled. Instead, WebAPIScopeDictionary is

a standard object that wraps and manages a dict, implementing a few

dictionary functions (__getitem__(), __contains__(), keys(), and

iterkeys()) needed by oauth2_provider. Instead of populating on

construction, it populates whenever something needs to access the

internal dictionary, and only if it's empty.
Population walks every resource tree it's tracking (the root resource

and, when using ExtensionEnabledWebAPIScopeDictionary, each enabled

extension's list of top-level resources). It now does this recursively,

preventing the need to modify another data structure on each iteration,

allowing it to only worry about populating the scope dictionary.
This simplifies things quite a lot, as the extension management now only

has to add/remove the list of resources for the extension and clear the

dictionary. The scopes won't regenerate until needed. It's also now

thread-safe, preventing several concurrent scope generations from

occurring at the same time.
The scope list is now computed on demand from the dictionary, just like

with the standard version. This reduces how much memory we're using to

keep the list of scopes, since looking up the scope list from the

dictionary is a pretty infrequent operation. Because of this, we no

longer need to override OAuth2ProviderSettings.__getattr__.
The overall result is a smaller, simpler class for handling scope

generation that reduces startup time, reduces bookkeeping, is

thread-safe, and more easily extensible.

Unit tests pass.
Tested manually that the scopes weren't populated on startup, but that

I could get the list when needed (triggering a generation).
Also tested that enabling/disabling an extension properly cleared the

scopes, and requesting scopes again caused the new extension resources

to be included in the scope dictionary.