Use the external identity provider for refresh of logins. When a user is logged in via an external identity provider, use the same identity provider for a refresh when it expires. The expiration time is controlled via the classical OpenACS parameters.
Note that in general, the same user might be authenticated via a classical OpenACS authority (e.g. local authority) and/or via an external one (e.g. Microsoft Identity Platform (Azure) or GitHub). For single-sign-ons, when the token is still valid, the redirect to the external identity provider does not mean necessarily that the use is shown the external identity provider's login page.
Added preliminary support for secondary registries (e.g., MS Azure via oauth2) - When login happened via external registry, the logout should happen there as well. - let "sec_login_read_cookie" return a dict instead of a list (eases future extension) - bump version number to 5.10.1d31