Handling of auth errors in SyncAuthManager is inconsistent at best, and I believe buggy in some cases (or at least, things work correctly only by chance).

Some issues/oddities:

- IdentityManager keeps track of the auth error state of the refresh token. However, SyncAuthError doesn't use that, and so doesn't expose these auth error, with the exception of CREDENTIALS_REJECTED_BY_CLIENT which corresponds to "Sync paused". (We do expose auth errors we get in AccessTokenFetched(), so maybe this is okay?)

- When the CREDENTIALS_REJECTED_BY_CLIENT error gets cleared, then that does *not* in itself trigger a new access token request [1]. Things seem to be working out only because we keep trying to fetch access tokens the whole time due to syncer::CONNECTION_AUTH_ERROR.

- Corollary to the above: We keep trying to fetch access tokens the whole time we're in the "Sync paused" state. That's pointless at best, and potentially harmful (we might get throttled/backed-off etc).

[1] https://cs.chromium.org/chromium/src/components/browser_sync/sync_auth_manager.cc?rcl=e5d14a874ac175c2014d3538908ed227228f1706&l=310