Implement FE work for 3rd party accts - Refresh token on client

[ajpeddakotla]

Background:

3rd party users will use their own authentication mechanism (in eLife's case, the ORCID system), and they will be able to use Hypothesis to annotate on the publisher's page after logging in to their 3rd party account.

Based on our research work in #66 , we decide to implement a Static approach, assuming that the token will be loaded on every page load.

Specific task to be addressed in this issue:

This issue is concerned with auth.js needing to be updated to send an opaque access token instead of the JWT header in the third party context.

• Need to implement OAuth token refresh and make sure fetchOrReuseToken handles reuse of the access token as well

[seanh]

• Remove the client code that makes it try to re-use the grant token after the access token has expired. It should use the grant token once and once only (per page load).

• Make the client use the refresh token, on a timer, to get a new access token several minutes before the access token expires

• Make the client show some sort of sensible error message to the user if it finds itself without an access token, or with an expired one, because a grant token or refresh token request failed. User has to try reloading the page. Probably also log an error message at the time when the request fails. Created a separate ticket for this: The client needs to handle OAuth-related errors in a user-friendly way #169

• Optionally expire a refresh token immediately when it is used. This is actually server-side work. This is because it's more secure because the same refresh token cannot be used twice, so if a refresh token has been stolen by an attacker then it cannot be used by both the attacker and the victim.
  Decided not to do this right now, see Slack discussion: https://hypothes-is.slack.com/archives/backend/p1486661660003549

• Optionally allow refresh tokens to still be used a few hours after the access token has expired?

  Normally the client will try to use the refresh token several minutes before it expires. But what if the user suspends their laptop? Or temporarily loses their internet connection? If the client it still able to use the refresh token a couple of hours late then we can avoid showing "you need to reload the page" error messages to the user. We don't want the refresh tokens to live too long though, as this reduces our security, so it's a trade off, if the user puts their laptop to sleep overnight and then tries to resume in the morning they may have to get such an error message. Unless we decide to let the refresh tokens live for say 12 or 24 hours.

  Decided not to do this right now, see Slack discussion: https://hypothes-is.slack.com/archives/backend/p1486662430003559

I made a separate issue to add metrics: #170