OAuth token refreshes in reference client are brittle

[mary-ext]

Describe the bug

As in the title, token refreshes are very likely to fail resulting in a log out if the user happens to be reload the page at the wrong moment.

To Reproduce

Steps to reproduce the behavior:

1. Use the OAuth browser library and sign in
2. Wait 10+ minutes and for token to expire
3. Refresh the token
4. While refreshing, reload the page.

Expected behavior

It shouldn't be likely for reloads to sign you out

Details

While this is entirely unavoidable, this seems to be mostly happening because the client needs to verify whether the new access tokens are received from the right issuer.

atproto/packages/oauth/oauth-client/src/oauth-server-agent.ts

Line 145 in 319aa7c

const resolved = await this.oauthResolver.resolveFromIdentity(sub, {

Since this happens in between a request to refresh tokens and actually storing that token, this leaves quite a gap, one that's especially big on slow networks, on said tokens potentially getting lost before it makes its way into IndexedDB

As we aren't doing a stale-while-refresh approach for identity and metadata resolution, this is bound to happen every 10 minutes, as that's what the cache expiry time is currently configured at.

[mary-ext]

I suppose moving resolveFromIdentity to refresh method might be the answer? So long as we're not doing it in-between it seems fine.