TYPO3 session must match token lifetime

[liayn]

IdPs may revoke tokens for a user/grant. E.g. if permissions of a user are modified, or a user is deleted.

In order to ensure that revoked tokens (access/refresh) actually take effect, the session timeout must be bound to the token lifetime. Moreover, if the user is still active, but the token is about to expire, a refresh must be triggered, implicitly causing a session termination if the refresh token has expired.