Change autoRefreshToken default to false

[barrett-hln]

Is your feature request related to a problem? Please describe.
The default value of autoRefreshToken is currently true on the ReactKeycloakProvider component. This was surprising to myself, and others I spoke with, since it would mean that it will keep an SSO session alive as long as a user has a tab/window open (and has a stable network connection) to a page that uses the ReactKeycloakProvider component where the default was not manually set to false via the autoRefreshToken property. For an app with no server-side user state, where the session times are not managed by the app server, this could extend login session liveliness times past what a developer intended.

Describe the solution you'd like
A more secure default would be false. Then include some instructions somewhere on strategies to refresh the token, like calling updateToken on any API call requiring authentication, prior to making the call. Another option is using something like react-idle-timer if the intent is to watch for client-side activity to keep the SSO session alive. Again, these strategies are geared more towards apps with no server-side managed session state, which are getting to be more common.

Describe alternatives you've considered
No matter what the default is, it would still be good to give instructions on alternative strategies for keeping tokens alive in this repo, and in code comments where it says changing this default is not recommended.