Stop using non-public methods from `requests_auth`

[Andy-Grigg]

📝 Description of the feature

Split from #639

We currently use non-public methods within requests_auth to work around some OIDC issues, specifically (quoting from #639 (comment)):

The issue, as I recall, was if you provide a refresh token to the builder you can get into a situation where the initial request to get an access token also triggers the refresh token to be rotated. I don't think this was properly handled in requests-auth, and we ended up with an out of date refresh token.

This became a problem recently where requests_auth was updated from 7 to 8, which broke this package.

We should review the current behavior to see if this is still an issue. If it is, we should see if we can get this functionality contributed to the requests_auth package.

💡 Steps for implementing the feature

1. Check if we still need to use the non-public methods
2. If yes, contribute an alternative approach upstream

🔗 Useful links and references

https://github.com/Colin-b/requests_auth

[Andy-Grigg]

Currently blocked, there doesn't seem to be any good way of working round this issue without proposing some major changes to requests_auth.