[jacky]random thought: is it bad to have a IndieAuth service _adjust_ scopes after the fact? Like I can imagine that as a client, if an action was randomly unauthorized and it hasn't expired yet that refreshing the token's information and/or asking for a new one isn't a bad idea
