Implement refresh tokens

[anderspitman]

Similar situation to dynamic client registration. Doesn't really add anything, but it's the expected flow for other software that wants to interact with obligator. See #28.

[btrepp]

Adding another use-case.

kubenav https://kubenav.io supports cidc, and I have gotten it most of the way configured to work. However unlike kubelogin, kubenav really aims to get the initial token, and then refresh it itself. This means in configuring the first thing it appears to do is request a refresh token, and thus fail. I think when refresh tokens are added, this will help enable compatibility with devices/flows/apps that have assumptions about using refresh tokens