Use the external identity provider for refresh of logins. When a user is logged in via an external identity provider, use the same identity provider for a refresh when it expires. The expiration time is controlled via the classical OpenACS parameters.
Note that in general, the same user might be authenticated via a classical OpenACS authority (e.g. local authority) and/or via an external one (e.g. Microsoft Identity Platform (Azure) or GitHub). For single-sign-ons, when the token is still valid, the redirect to the external identity provider does not mean necessarily that the use is shown the external identity provider's login page.