fix multi-document update for refreshing OAuth access tokens

[jshslsky]

OAuth2Controller.tokenFromRefresh() adds a token and invalidate the old one with two updates. This should be combined into one.