Refactor getAccessToken and add getRefreshToken #34
Description
The oak-localstorage example uses a session instead of sending the access token and refresh token to the client. I did this because I wasn't sure about best way to store refresh token in the client.
I now believe it is safe to store the refresh token and access token in http only secure cookies. To avoid sending the refresh token with every request, the refresh token cookie can have the token endpoint specified as the cookie path.
https://stackoverflow.com/questions/68620374/store-access-token-and-refresh-token-in-cookies
To make this change, I will need to update the refresh token grant to have a callback option for an alternative way of getting the refresh token. In the example I will have it check for a refresh token cookie.
The getAccessToken option should be moved to the ResourceServer constructor since there would only ever be one getAccessToken function for a resource server. The Oak adapter for resource server currently takes getAccessToken in the constructor. Once this change is made, that can be removed. The getAccessToken function will no longer need a requireRefresh argument since refreshing will be left to the client.
I have another issue open that will make it easier for the client to handle request failures due to access token expiration and refreshing tokens.