Refresh tokens should only work once and return a new refresh token

[ericchiang]

Also known as "Refresh Token Rotation"

Currently a refresh token can be redeemed for an access/ID token as many times at the hold of that refresh token likes. E.g.

{
  "access_token":"2YotnFZFEjr1zCsicMWpAA",
  "token_type":"example",
  "expires_in":3600,
  "id_token": "..."
}

Instead, Dex should also return a new refresh token every time one is claimed.

{
  "access_token":"2YotnFZFEjr1zCsicMWpAA",
  "token_type":"example",
  "expires_in":3600,
  "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
  "id_token": "..."
}

This immediately invalidates the current refresh token, and the client must use the new one. The primary motivation is detecting that a refresh token has be stolen. Summed up well by rfc 6819

Refresh token rotation is intended to automatically detect and
prevent attempts to use the same refresh token in parallel from
different apps/devices. This happens if a token gets stolen from the
client and is subsequently used by both the attacker and the
legitimate client.