Relax auth_time validation on ID token refresh

[answndud]

When an OP refreshes an ID token and updates auth_time (for example after SSO session renewal), strict equality with the previous ID token can reject an otherwise valid refreshed token.

This change relaxes that check in both servlet and reactive paths:

• keep issuer/sub/aud/nonce checks as-is
• validate auth_time is not after refreshed token iat (with configured clock skew)

Updated tests:

• OidcAuthorizedClientRefreshedEventListenerTests
• RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandlerTests

Verification:

• ./gradlew -PtestToolchain=21 -PtestCompileTargetVersion=21 :spring-security-oauth2-client:test --tests "org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizedClientRefreshedEventListenerTests" --tests "org.springframework.security.oauth2.client.RefreshOidcUserReactiveOAuth2AuthorizationSuccessHandlerTests" -x :spring-security-javascript:nodeSetup -x :spring-security-javascript:npmInstall -x :spring-security-javascript:npm_run_assemble -x :spring-security-javascript:assemble

Fixes #18839

[answndud]

Hi team, friendly follow-up on this PR. If you'd prefer a different direction or any changes, I'm happy to update it.