New Feature: Capture JWT and optionally refresh token from Microsoft and store them

[AngellusMortis]

Something I have been wanting to do for a while, but have not gotten the motivation for is exposing access to the user's Microsoft account to the Django application/frontend. To that end, I would like to eventually implement the following:

• Pluggable method of "storing" a user's JWT (and optionally Refresh Token if offline access scope is requested) from Microsoft and making them available to Django.
• For "supported" backends, I would like the following made (I would rather keep these two separate, but very interested in discussion otherwise):
  • One that takes the JWT/Refresh token and stores them in a Secure + HTTP Only encrypted cookie. This allows the JWT to be used on the backend but still 100% be in the control of the user so they can delete it at any time and it is never stored on the backend. This should be the default and preferred for applications that do not need access to the Microsoft JWT on the frontend.
  • One that takes the JWT and stores it in a Secure cookie so the frontend can access it (in the case of SPA or other frontend heavily apps). Refresh Token should still be stored in a Secure + HTTP Only encrypted cookie.
• Docs on how to create more of the above backends.
  • Note: I do not want to "officially" support a backend that stores a JWT/Refresh Token on the server side since that takes the control of the JWT/Refresh Token out of the user's control and opens them both up to being stolen on the backend if it is not properly secured. However, I do understand the use case for Enterprise applications to have this functionality, so I want it to be as simple as possible for someone making a Django app to implement their own offline storage for JWTs/Refresh Token if they really need it.
• A new endpoint that takes the Refresh Token from the encrypted cookie and issues a new JWT. As with the Authentication Backend, it should also update all user data from the JWT when it receives it if that data has changed.

[alfonsrv]

Requires passing offline_access as scope to acquire a refresh_token from the Microsoft endpoint. Microsoft however removes offline_access scope in the response which in turn raises an exception within oauthlib for scope mismatch (oauthlib/oauthlib#562). This can be suppressed by either setting env variable OAUTHLIB_RELAX_TOKEN_SCOPE or using except Warning.