Fixed bug with required grant and made allowedUrls optional

[vytautas-pranskunas-]

After getting 4.0.0 i faced 2 issues:

1. Getting error on grantedScopes.split('+'). thing is that IdentityServer4 does not send this information at least in my case (as far as i understand it checks allowed scoped agains issued token on request) so it should be optional.
2. Allowed urls where required with check startsWith. So in our case we are calling api without domain e.g. /api on DEV, QA, PROD environments but on localhost we call it with host. This is because on other environments proxy redirect is grabing requests to avoid OPTIONS request since API and web are separated. On other hand on localhost we do not have any proxy so we have to call full url like http://api..../.... So we are ending up mixed situations. We could change this check with indexOf but this is not very good options because different urls can have parts of allowed urls. So I made it optional. I think it should not cause any issues or penalties.
3. Also I fixed few bugs where brackets were missing on hasValidIdToken() call
4. Also added this.__storage check because of SSR

Question - how soon can we release fixes because our team is hardly depend on them :)

[enterprisebug]

@vytautas-pranskunas- i can confirm that it is working!

[manfredsteyer]

Thanks for this PR. Very apprechiated!