feature: allow refresh flow for public usages

[strehle]

Only if

1. token before was created without client authentication (public flow + PKCE)
2. jwt.refresh.rotate = true , means refresh tokens are rotated

Should solve issue #2138

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/185598571

The labels on this github issue will be updated when the story is started.

[strehle]

Test can be done with
Use UAA from branch https://github.com/cloudfoundry/uaa/tree/feature/issue/test-2138
./gradlew run

-> rotate is active and we have RS256 key

Use standard go or spring boot
go: https://github.com/strehle/cmdline-openid-client -> make -> ~/openid-client -issuer http://localhost:8080/uaa/oauth/token -client_id login -port 7000 -refresh

spring boot: https://github.com/strehle/spring-openid-client -> ./start.sh

Both tools / examples use standard oauth2 implementations from vendor and both support public usage with automatic PKCE support.

if you change uaa.yaml rotate to false, then both tools must show an error in refresh. The access_token (and refresh JWT if you have jwt) show client_auth_method with none, ID-token not, ID token shows only acr values, which is similar , an information about the authentication context of the user, e.g. if 2 factor was used etc...

[strehle]

@Tallicia FYI This feature is now ready for review and you can also do a end to end , see
#2402 (comment)

[Tallicia]

Thanks for the notice @strehle , @swalchemist Is this something you can put on your todo list as tribute?

[swalchemist]

I've started reviewing the code - - looking pretty good so far.

[strehle]

sonar coverage should be enough now
https://sonarcloud.io/component_measures?id=cloudfoundry-identity-parent&pullRequest=2402&metric=new_coverage&view=list

[strehle]

@swalchemist , did you had the chance to check my new commits ? from my side your requests were solved, I am not sure if I should / can close the conversions here in github review?