We accept an OIDC access token issued by a trusted identity provider to refresh a Nominal access token.
The access token is validated and exchanged for a Nominal access token. To be used in this endpoint,
the OIDC access token must contain an email claim. The org rid from the expiring session should be provided.
It is required for guest users and multi-org users to determine what org the Nominal token should be minted for.