fix for oauth2 refresh tokens obtained using client secret

[wfraser]

They are different from tokens obtained with the PKCE flow, and need the client secret to be provided again along with the refresh token when obtaining new tokens.

Checklist

General Contributing

• [x] I have read the Code of Conduct and signed the CLA.
• [x] I have added an entry to the RELEASE_NOTES.md file, or believe it's not necessary for this change.

Validation

(Semi-)manual testing; not going to check in the oauth2 tests I have which all have private tokens in them...