OIDC ID token auto-refresh support

[sberyozkin]

This PR follows up #11718 (which adds an option to extend the session in order to keep RT around for longer) and adds another option to auto-refresh ID tokens if the validated ID token will expire within the configured token.auto-refresh-interval.
This should offer a more robust solution, as extending the session on its own only relies on the possibility of the OP session still being active for the RT grant to work.
I've added a test and also verified that without adding a new property in the new tenant-autorefresh configuration the test fails.

In this PR an exception is thrown for the recovery code in CodeAuthenticationMechanism which does refresh the tokens and updates the session to take control. The exception is thrown only after the ID token has been verified and the SecurityIdentity calculated - the difference in this case is that if the RT grant fails we still continue because the current ID token is still valid (not expired).
Also some precautions are taken to 1) avoid auto-refreshing on the initial authentication request and 2) avoid looping as the refreshed tokens also get verified.

[sberyozkin]

@gastaldi Hi George, by the way, I've realized that since we use Duration the users can use whatever format they prefer :-), so it is really just a recommendation to use seconds or minutes for a given property

[gsmet]

Looks like the tests are failing.

[sberyozkin]

Hi @gsmet I see the kubernetes-client test failing, I'll rebase

[gsmet]

I disabled the failing test in master, rebased and force-pushed.

[gsmet]

Better include that one in CR1 to get feedback.

[sberyozkin]

@gsmet Thanks Guillaume, good idea