At least for openid connect, I think we hashed this through on our dev
* There will be a Protocol Claim Mapper that can add a facebook token
and expiration claim to the application's access token.
* the refreshToken endpoint will accept a "scope" parameter. The
application can then request the refresh of any external token by
specifying this token in the "scope parameter.
JBoss, a division of Red Hat