Description of problem:

Citi reported an issue with long expiry dates on refresh token cookies.
See support case

See Slack thread

Upon further investigation, it was determined that Backstage sets the expiry date to 1000 days. We should shorten this to 400 days to align with the recommendation in the draft cookie policy. In addition, it seems possible to configure the values. 

The 1000 day constants are set in the following modules:

1. https://github.com/backstage/backstage/blob/v1.32.0/plugins/auth-backend/src/lib/oauth/OAuthAdapter.ts#L332
2. https://github.com/backstage/backstage/blob/master/plugins/auth-node/src/oauth/OAuthCookieManager.ts#L20

The second one should fix the reported issue. We should update the first one as well but I'm not sure which area that would impact

Prerequisites (if any, like setup, operators/versions):

Steps to Reproduce

1. Set up RHDH with GH or Keycloak auth
2. Login with your creds
3. In the browser, right click and select Inspect.
4. Find the refresh token cookie in the storage/application tab and note the expiry date

Actual results:

• max-age/expiry should be set to 400d by default OR
• user configured value

Expected results:

See above

Reproducibility (Always/Intermittent/Only Once):

Always