auth-keycloak: make sure the token is always valid for at least 20 seconds

The keycloak library currently only sends us an event in case the token
is about to expire, which is problematic because there is a time window
where we don't have a new token yet and on mobile the timers used
might be suspended and come too late.

To avoid this we check every 10 seconds that the token is valid for 30
and to work around suspended timers we also check on "visibilitychange"
which should trigger then the website gets visible again after the browser
sleeps.