Relax auth_time validation on ID token refresh

[answndud]

When an OP refreshes an ID token and updates auth_time (for example after SSO session renewal), strict equality with the previous ID token can reject an otherwise valid refreshed token.

This change relaxes that check in both servlet and reactive paths:

• keep issuer/sub/aud/nonce checks as-is
• validate auth_time is not after refreshed token iat (with configured clock skew)

Updated tests:

• OidcAuthorizedClientRefreshedEventListenerTests
• RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandlerTests

Verification:

• ./gradlew -PtestToolchain=21 -PtestCompileTargetVersion=21 :spring-security-oauth2-client:test --tests "org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizedClientRefreshedEventListenerTests" --tests "org.springframework.security.oauth2.client.RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandlerTests" -x :spring-security-javascript:nodeSetup -x :spring-security-javascript:npmInstall -x :spring-security-javascript:npm_run_assemble -x :spring-security-javascript:assemble

Fixes #18839

[answndud]

Hi team, friendly follow-up on this PR. If you'd prefer a different direction or any changes, I'm happy to update it.

[jgrandja]

@answndud Closing this as a fix is not required. Please see this comment.

In the future, please hold off on submitting a fix until the team has evaluated the issue and determined if a fix is required. Thanks.

[answndud]

Sorry for jumping ahead with a fix before the team had finished evaluating the issue. I’ve been experimenting with an AI agent to automate parts of the contribution process, and I mistakenly allowed it to submit this PR prematurely without proper oversight. I’ll make sure to wait for the team's evaluation in the future before submitting any further fixes. Thanks for your understanding."