Check group memberships on OAuth2 token request

Refresh group memberships when someone requests a token for a user (either a grant or a refresh). This means the longest between privilege checks would be an hour, so no user can use OAuth2 to get unending access conferred by group memberships they should no longer possess (e.g. due to an affiliation being removed, or transitioning to leaver status).
