google
Add ability to dynamically update client ids and secrets
Instead of only keeping client ids and secrets in member vars of a class instance that may not be updated, we should add the ability to dynamically update them.
One way to achieve this would be to but secrets behind a local "vault" extension. The Vault would be an interface that is implemented from a runtime extension. The default impl could be a Map-backed implementation that sources from env variables and a config file (similar to today). This impl could be replaced one that does dynamic lookup against a real cloud vault service or key storage such as etcd or Consul.
FWIW for the Google Cloud extension, they're already configured to dynamically update within the GoogleAppCredentialStore implementation -- they use a loading cache which periodically polls from Google Cloud Storage where they are stored. However they're then cached into local variables outside the store. GCS is probably not the best way to store configuration which may need to be dynamically updated, ectd could be better.
I guess a benefit of a vault extension, rather than each AppCredentialStore impl receiving updates, would be that it could be reused within a cloud extension for other sensitive keys besides the app credentials.
