Authorization fixes (#162)

* Only use scope offline_access for device code and interactive LOGIN.

* Protect token cache, also for interactive login.

---------

Co-authored-by: Raymond Wiker <rayw@equinor.com>

Author: rwiker

src/sumo/wrapper/_auth_provider.py

@@ -15,7 +15,7 @@
 
 
 def scope_for_resource(resource_id):
-    return f"{resource_id}/.default offline_access"
+    return f"{resource_id}/.default"
 
 
 class AuthProvider:
@@ -138,14 +138,17 @@ def __init__(self, client_id, authority, resource_id):
         return
 
     def login(self):
-        result = self._app.acquire_token_interactive([self._scope])
+        scopes = [self.scope + " offline_access"]
+        result = self._app.acquire_token_interactive(scopes)
 
         if "error" in result:
             raise ValueError(
                 "Failed to acquire token interactively. Err: %s"
                 % json.dumps(result, indent=4)
             )
 
+        protect_token_cache(self._resource_id)
+
         return
 
     pass
@@ -166,7 +169,8 @@ def __init__(self, client_id, authority, resource_id):
         return
 
     def login(self):
-        flow = self._app.initiate_device_flow([self._scope])
+        scopes = [self.scope + " offline_access"]
+        flow = self._app.initiate_device_flow(scopes)
 
         if "error" in flow:
             raise ValueError(