We accept an OIDC access token issued by a trusted identity provider to refresh a Nominal access token.
The access token is validated and exchanged for a Nominal access token. To be used in this endpoint,
the OIDC access token must contain an email claim.
The org rid from the expiring session should be provided to deconflict if the user is a member of
multiple orgs.