GitLab can generate an oauth token with the (ai_workflows) token scope

Definition of done

• To provide auditable access to GitLab's API in the short term, we are going to create an OAuth token with a new token scope called ai_workflows
• This token will belong to an application-wide oauth app.
• To do this will require a few steps:

1. Add application setting to store an oauth application id for the special "Duo Workflow OAuth app"
2. Find or create this OAuth app when a user requests a duo workflow oauth token (see how something similar was done for the web IDE here)

The actual generation of the token will happen when the GitLab API endpoint is called.

Notes on the ai_workflows scope:

• This scope should be available to GitLab.com and SM instances. For now we only need to worry about gitlab.com because that is the target of our August release.
• The ai_workflows scope should only be used by OAuth clients, it wouldn't make sense to create a Personal Access Token with this scope because the scope should be used by Duo Workflows only.
• Can we hide this token scope from the "create OAuth token" screen? We do not expect users to be created OAuth app with this scope, there will just be one app that uses this scope and it will be trusted/internal.
• All of this should be behind the duo_workflow feature flag so that only flagged in users can use this functionality

Additional information

• Example of an MR that adds a new scope
• See this MR for more details on the overall auth plan for Duo Workflow