figure out how to use ibm cloud refresh tokens

[starpit]

right now we support two modes of authentication against IBM Cloud: bearer tokens and api keys. the former is convenient, in that the user can log in and choose a resource group orthogonally to the use of lunchpail.

however, bearer tokens time out unbelievably quickly. and... without some more thought, we cannot use the refresh token, because this requires us to know (and use) the oauth client id/secret pair that was used to acquire the refresh token.

so, either:

1. we apply for an oauth client with ibm cloud; this would let us request and manage the tokens directly
2. maybe we can do something with "delegated" refresh tokens? not sure, this may still require 1). https://medium.com/@martin.smolny/ibm-cloud-identity-and-access-management-securely-sharing-long-running-authentication-6a3ab3a878ba
3. before using the bearer token, we could invoke some random unimportant but fast calls using the ibmcloud CLI, which will refresh the token for us

option 3 might be the easiest short-term solution. and, it seems like a safe bet that the user already has the ibmcloud CLI installed, give that we are only having this discussion if they have a bearer token, and this is usually done via that CLI.