verify id token validity [On Hold]

[idg-sam]

new commit implements:

• auth_required decorator that checks for id token + exp validation
  • auth_required on index '/' route
  • auth_required on graphcall '/graphcall' route
  • don't destroy session based on id token or logout, only remove 'user' and 'token_cache' on logout.
  • session TTL not tied to ID token exp claim

[idg-sam]

In this PR, once the user's token expires:

1. The user is redirected to our-app/login. The user then clicks sign in to be redirected to AAD/authorize.
2. At the AAD/authorize endpoint, one of two things happens: a. If the user has only have one signed-in account with AAD, it passes through silently b. If the user has multiple signed-in accounts on AAD, AAD will ask the user to to choose one

• Is 1. the behaviour we want? If not, we can skip this step if the user is signed-in but token has expired (e.g., send them directly to AAD/authorize)
• Is 2.b. the behaviour we want? If not, we can pass in a login_hint when sending them to AAD/authorize

I'll check in a test that makes the ID token refresh seamless. I'll use the preferred_username claim as the login_hint.

[rayluo]

Thanks @idg-sam for the prototyping. We ended up choosing to move most of this kind of helper logic into a separate helper library, instead of adding more and more helpers into this sample. Closing this PR now.