Support refresh tokens (Okta)

[cmc333333]

Okta's OIDC implementation has a hard limit of 1 hour for access tokens. mozilla-django-oidc's SessionRefresh middleware lets us push that limit so long as the user is active within the past ~45 minutes, but it seems more sensible to make use the refresh token (which has a configurable timeout). Refresh tokens would allow Django to silently renew the user's access for potentially weeks, if desired. Refresh tokens don't lose any of the security benefits of SessionRefresh -- the access token must still be re-retrieved, which means we're still confirming that the user is valid in Okta. Without this, after an hour of inactivity, users are logged out of our app (even if they are still logged into Okta) because the access token expired.

In reviewing existing issues, I suspect #377 is a workable implementation, though that PR's languished.

[atosearas]

Request for refresh token support for Keycloak in #236, and duplicate issue in #501.

Work seems to still be ongoing with PR #377, but seems to be stalling on both lack of field testing of the current most up to date branch (#377 (review) AFAICS), proper review feedback, and also possibly lack of project maintainer feedback regarding feasibility of including feature, and what would be needed to get it into the main branch (unsure about last one).