OAuth2AuthorizationCodeAuthenticationProvider should not issue refresh token to public client

[jgrandja]

The current implementation of OAuth2AuthorizationCodeAuthenticationProvider will issue a refresh token to a public client (authenticated via PKCE). This should not be allowed as there are a number of inherent risks with public clients and issuing a refresh token increases the risk to another level.

However, this capability may be introduced at a later point by implementing best practices outlined in OAuth 2.0 for Browser-Based Apps.

Related gh-297