We are currently handling token refreshes with custom code in OIDCClientCredentialsCallCredentials.

There is an off-the-shelf version of this implemented in google-auth-library-oauth2-http, here: https://github.com/googleapis/google-auth-library-java/blob/3e44bb99fc04e63c830c214943520687759d1447/oauth2_http/java/com/google/auth/oauth2/OAuth2Credentials.java#L214

The google lib is more sophisticated and maintained by someone else. In particular, it solves for the case when an authorization server is taking a long time to respond. It does not wait for the refresh task to complete before offering a still-valid token to the caller. In the current implementation, all calls will block while the token is refreshed. This could create significant back-pressure, especially if the authorization server is down or slow and/or for high-throughput checks. There may be other cases the library handles.

This should ideally be done after RHCLOUD-34624 so this logic can be reused in all Kessel Java client libraries.