Consider refresh method on IBackChannelAuthenticationRequestStore

[AndersAbel]

The CIBA flow can be used for interacting with eid-solutions such as Mobilt BankID in Sweden or MitID in Denmark. When using those the status of an authentication request is acquired through an external API call. The naive implementation would be to make a custom IBackChannelAuthenticationRequestStore that calls the external API on every Get* operation to ensure that up to date data is returned.

The drawback with this is that the external API is called even before basic client validation and throttling rules have been applied. There should be a way to run the basic validation and throttling code first and only after those pass call the external API.

An implementation suggestion is to add a RefreshState() method to the IBackChannelAuthenticationRequestStore. It would be invoked by the BackchannelAuthenticationRequestIdValidator after basic validation (client binding, lifetime and throttling) have been done but before the IsComplete flag is checked. The default implementation would be a no-op.