[Feature] Cache OIDC id_token to avoid redundant browser-based re-authentication

[juengler]

Description:

The credential provider caches AWS STS credentials and a monitoring token, but does not cache and reuse the OIDC id_token for silent credential refresh.

Current flow when AWS credentials expire:

1. Cached AWS credentials checked → expired.
2. Full browser-based OIDC authentication triggered (browser popup).
3. New id_token exchanged for AWS credentials via STS.
4. AWS credentials cached.

The id_token typically has a longer validity (e.g., 1 hour) than the STS credential refresh cycle. When AWS credentials expire but the id_token is still valid, the provider should reuse the cached id_token to silently obtain new AWS credentials without a browser popup.

Expected behavior:

1. Cache the OIDC id_token alongside its exp claim.
2. On credential refresh, check if a cached id_token is still valid before launching browser auth.
3. If valid, use it directly with AssumeRoleWithWebIdentity / Cognito Identity Pool for silent refresh.
4. Only trigger browser-based auth when the id_token itself has expired.

[mehdyhaghy]

I still think this issue on gitgub is one part of the problem and not storing refresh tokens is another part of the problem. basically ccwb authenticates from scratch everytime instead of using refresh tokens.