Support refresh tokens in OpenBao's OIDC provider

[siepkes]

Is your feature request related to a problem? Please describe.

Currently it is possible to retrieve an access_token in OpenBao but not to extend it's lifetime in a OAuth2 / OIDC compatible way. When creating client applications (such as a single page application or IOS / Android app) you don't want the user to have to re-login every day. However creating an access_token with a really long lifetime is often not desirable.

Describe the solution you'd like

I would like OpenBao to support section 1.5 of the OAuth2 spec, refresh tokens. Allowing me to obtain a new access_token (OpenBao batch token) by using a refresh token. The refresh token is provided to the client at the same time the access_token is provided. In OpenBao's case the refresh token could be used to extend the lifetime of the access_token to its max_ttl. The access_token is allowed to change when it is refreshed (as far as I know). Same goes for the refresh token itself.

Describe alternatives you've considered

Using the OpenBao specific API to refresh the token since the OIDC access_token is in essence "juist" a OpenBao batch token. However that might hurt OpenBao's OIDC adoption since standard client libraries with support for refresh tokens won't work.

I originally created this as a Vault feature request: hashicorp/vault#16134. Where it gathered the most engagement I ever had online, 23 thumbs-up emoji's! ;-)