Store and Use Refresh Token on Expiry

We've the same requirement. Our solution is to store the tokens on the user session for later use (potential token refreshing).

Hooking to the "openid_connect_userinfo_save" did the job for us:

/**
 * Implements hook_openid_connect_userinfo_save().
 */
function helbling_user_openid_connect_userinfo_save(UserInterface $account, array $context): void {
	// Store OpenID Connect tokens for later use.
	$request = \Drupal::request();
	if( ! $request->hasSession() ) {
		// This is a strange situation: login via openid connect seem to have completed though no
		// PHP session is available required to keep Drupal's login state.
		// ¯\_(ツ)_/¯
		return;
	}
	$tokens = $context['tokens'];
	$request->getSession()->set('oidc_tokens', $tokens);
}

I believe this is a very good idea.

Currently, I’m exploring a method to automatically refresh expired access tokens when a valid refresh token is still available. Ideally, this feature should include a configuration option to enable or disable the auto-refresh behavior.

To proceed, we first need these two issues to be merged:
- https://www.drupal.org/project/openid_connect/issues/2923419 ✨ Method to use the refresh token Needs review
- https://www.drupal.org/project/openid_connect/issues/3327440 💬 Store and Use Refresh Token on Expiry Active

Approach 1:
- Use an event listener that listens to either KernelEvents::REQUEST or AccountEvents::SET_USER.
- Check the session for the OpenID session's expire timestamp. If the token is near expiration and a valid refresh token is available, invoke the ->refreshTokens() method and replace the session tokens with the refreshed values.
Implement a locking mechanism to prevent multiple requests from using the same refresh token simultaneously, as it can only be used once.
- If refreshing the tokens with the stored refresh token fails, log the user out and return a "419 Page Expired" response.
- If no valid refresh token is available, log the user out and return a "419 Page Expired" response.

Approach 2:
- Use hook_cron() to identify access tokens that are about to expire and handle them in batches.
- Instead of continuously refreshing tokens in the background, consider using the session timestamp combined with the session's maximum lifetime. However, this could be problematic if the maximum session lifetime is set to a higher value.

I believe the first approach is the better option.