auth-keycloak: make sure the token is always valid for at least 20 seconds

The keycloak library currently only sends us an event in case the token is about to expire, which is problematic because there is a time window where we don't have a new token yet and on mobile the timers used might be suspended and come too late.

To avoid this we check every 10 seconds that the token is valid for 30 and to work around suspended timers we also check on "visibilitychange" which should trigger then the website gets visible again after the browser sleeps.