Avoid an OIDC refresh token call if the JWT refresh token has expired

[sberyozkin]

Fixes #41830.

This PR is really about an optimization as opposed to a bug fix. If Quarkus OIDC can figure out that the refresh token has expired, then there is no point to attempt to use it and make another call to refresh the tokens, as it will fail anyway.

So the PR checks if the refresh token is in JWT format as in the case of #41830, and if yes, it checks the expiry exp claim, which is a number of seconds from the epoch, and if it is less than the current time, it has expired, and no another refresh call is made.
I've done a minor code refactoring, where the refresh token is checked, just to avoid some duplication, but the only new change which is made here is this refresh token expiry check.

Added a test to confirm it is effective.

This PR will most likely benefit Keycloak users only as it is the only provider I know of which allocates refresh tokens in the JWT format. Most other providers issue binary refresh tokens. In the future, we might be able to support checking the expiry of binary refresh tokens too if their expiry time is returned as a JSON property...

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit d6f491f.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

[sberyozkin]

Let me merge, thanks @gastaldi. And as always, @pedroigor, ping me any time please should you have any questions, thanks