The refresh token is not requested by the token exchange protocol even though the refresh token's presence is mandatory

[ErvinRacz]

Description

The refresh token's presence is mandatory according to the current implementation. If it is not present, 401 is returned, forcing the login flow.

There are two problems:

1. the refresh token's presence should not be mandatory for authorization
2. the currently the refresh token is not even requested with the default configuration of Nebraska, as it misses the offline_access scope.

How authorization happens If the refresh token is mandatroy, but it is not even requested? The current implementaion checks only for nil value and doesn't check for empty string too which is held by the refresh_token key in the session map.

Impact

1. Login flow triggered multiple times. See network tab.

Environment and steps to reproduce

1. Set-up: Configure an IDP an run Nebraska locally:

air --build.cmd "go build -o ./bin/nebraska ./cmd/nebraska/main.go" \
         --build.bin "./bin/nebraska" \
         --build.args_bin "\
     -http-log \
     -debug \
     --auth-mode oidc \
     --oidc-admin-roles nebraska_admin \
     --oidc-viewer-roles nebraska_member \
     --oidc-roles-path \"http://kinvolk\.io/roles\" \
     --oidc-client-id _redacted_ \
     --oidc-issuer-url https://_redacted_.com/ \
     --oidc-client-secret _redacted_ \
     -oidc-valid-redirect-urls http://localhost:3000/"

2. Task: [ describe the task performing when encountering the bug ]
3. Action(s): Add offline_access scope to the default config. Extend if statement to check empty string. Require refresh_token only if access token has expired.
4. Error: Absent of refresh_token, the login flow is triggered

Expected behavior

Should be able to obtain the refresh token and use it without triggering the login flow at least once.

[ErvinRacz]

Will be fixed by the following PRs:
#903
#899

[ErvinRacz]

both PRs have been merged:
#903, #899