Alters AppAuth example to support token renewal

[jakefeasel]

Restructes the code significantly in order to make it easier to implement a first-party client, including silent / automatic token renewal.

Changes session checking at the AS by using authorization code flow instead of implicit, and to be triggered from XHR requests rather than frequent polling.

[lapinek]

Looks good and works for me. A couple of comments:

1. The OAuth configuration endpoints may be better presented as full URLs, for path and even hostname patterns may vary for different OPs. The current code suggests setting only opBasePath and expects:

"authorization_endpoint": opBasePath + "/oauth2/authorize", "token_endpoint": opBasePath + "/oauth2/access_token", "revocation_endpoint": opBasePath + "/oauth2/token/revoke"

Which would not work with Google: "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth" "token_endpoint": "https://oauth2.googleapis.com/token" "revocation_endpoint": "https://oauth2.googleapis.com/revoke"

2. This should probably not belong to the Quick Start section: . . . mainScript.setAttribute("src", "libs/requirejs-2.1.14-min.js"); . . .