enhanced refresh token config

[stlammel]

CMS plans to use HashiCorp Vault to securely stores long-lifetime credentials. Refresh-tokens from IAM would be stored in the vault. To avoid re-authorization after the refresh-token lifetime expires, we like to refresh the refresh-token before their expiration (once they fall below the maximum expected job queuing plus execution time). We don't want to refresh the refresh-token on each access-token request to limit IAM operation. (There could be many access-tokens acquired from a refresh-token.) We like to ask for a new refresh-token config option that auto-rotates/refreshes a refresh-token when the remaining lifetime drops below a minimum. (In addition to the current auto-rotate/refresh on access-token request.) It would be also nice to have a refresh-token config option to explicitly allow refresh-token lifetimes beyond the lifetime of the initial refresh-token. (The current maximum refresh-token lifetime would still apply to each refresh-token.) Thanks,

• Stephan