Add an way/interface for injecting symfony roles from other sources

We currently create symfony roles from the scopes in the access token, but it's common that our users also have a LDAP as a second source for permission related data.

We should provide a way to (optionally) inject extra roles at runtime.