Refactor how token refreshing works to be more resilient (#4819)

* Refactor how token refreshing works to be more resilient

1. ensure we do use the new token if it is not explicitly inhibited by the caller
2. eagerly refresh token if we know it is expired
3. allow refreshing a token multiple times if e.g. on bad connection or the environment has been slept and sufficient time has passed since the last refresh attempt

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Iterate

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Iterate

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Add exponential backoff

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Ensure no timing effects on `authedRequest` method call

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

* Iterate

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

---------

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

src/oidc/tokenRefresher.ts

@@ -139,6 +139,7 @@ export class OidcTokenRefresher {
             profile: this.idTokenClaims,
         };
 
+        const requestStart = Date.now();
         const response = await this.oidcClient.useRefreshToken({
             state: refreshTokenState,
             timeoutInSeconds: 300,
@@ -147,7 +148,9 @@ export class OidcTokenRefresher {
         const tokens = {
             accessToken: response.access_token,
             refreshToken: response.refresh_token,
-        };
+            // We use the request start time to calculate the expiry time as we don't know when the server received our request
+            expiry: response.expires_in ? new Date(requestStart + response.expires_in * 1000) : undefined,
+        } satisfies AccessTokens;
 
         await this.persistTokens(tokens);