Unnecessary requests made during token refresh

[enj]

Fosite misinterprets the CLI's attempt to refresh via the basic auth header to mean that it is actually trying to authenticate as a public client (even though the client secret is empty):

token_handler.go:50] "token request error" name="invalid_client" status="Unauthorized" description="Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The OAuth 2.0 Client supports client authentication method 'none', but method 'client_secret_basic' was requested. You must configure the OAuth 2.0 client's 'token_endpoint_auth_method' value to accept 'client_secret_basic'." debug=""

This slows down the refresh flow because it adds a pointless POST request and it leads to some really confusing messages in our logs.

I opened ory/fosite#655 in an attempt to fix this (see more detailed explanation of the issue there).

This issue tracks getting this resolved upstream and our dependencies updated downstream.

[enj]

ory/fosite#655 was merged and included in ory/fosite@v0.42.1...v0.42.2 which we picked up in #1131 and released in v0.16.0. We should validate that in v0.15.0, refresh flows had the scary log message noted above, and that in v0.16.0 we no longer see the scary log message. Afterwards we can update the release note to mention that this was also fixed.