unified console + pac4j does not handle token refresh correct

Affected Version

28.0.1

Description

Once one is authenticated via OIDC on the unified console and after the session token expires the console only shows network errors. This behavior was also reported in #12183
On the Browser console i can see that druid tries to place a CORS request to re-authenticate via the published authorization_endpoit url which is denied by Cors settings.
This is because according to the RFC the authorization endpoint may only be used for a authorization flow that redirects the user. see https://www.rfc-editor.org/rfc/rfc6749#section-3
For a refresh of the session token programmatically the separate refresh token must be used on the token_endpoint.
The possibility to do so was already implemented in pac4j pac4j/pac4j#1463

Prerequisites:

The pac4j plugin is correctly configured and enables logins via OIDC.
After an unauthenticated session tries to access unified console the user is forwareded to the OIDC Provider and can login.

The session is now authenticated until the session token expires.

expected behaviour:

The OIDC plugin uses the refresh_token on the token_endpoint to refresh a session.
The session keeps working until the OIDC provider does not allow a refresh, in this case the user should be forwarded back to the login page of the OIDC provider.
see https://www.rfc-editor.org/rfc/rfc6749#section-1.5

observed behaviour

druid tries to re-authenticate the user via the authorization endpoint which may not be used in a CORS request and therefor fails.