Mix local and remote token validation
See https://gitlab.tugraz.at/VPU/Middleware/API/issues/11#note_4091
- Do a remote introspection and cache the result for 5 minutes, use the hashed token as key
- Do a local validation
This means any access token needs to be validated by keycloak the first time and then every 5 minutes, independent of the token lifetime which should be a good trade off for all common cases.