Stabilise support for Refresh Tokens and support Refresh Token expiry

[reivilibre]

This is a list of things that I need to do to rejuvenate refresh tokens.

• add more configuration options and rename the existing access_token_lifetime option as it's a misnomer (1)
• make changes to update to the latest version of the MSC
• drop the unstable prefixes
• add developer documentation
• add admin documentation
• make refresh tokens expirable
• support session lifetime properly (? — don't know if strictly required yet)

(1): access_token_lifetime merely refers to refreshable access tokens. New options include:

• lifetime of non-refreshable access tokens
• lifetime of refresh tokens themselves
  Also should consider how session_lifetime will be made to work as the 'ultimate session lifetime', since currently the two options are not compatible despite being about the same thing...?
  Also should document the configuration option since, being experimental, it has not been documented yet.