Since Keycloak 1.1 with https://issues.jboss.org/browse/KEYCLOAK-760
we have expiration date available from access endpoint.

POST /auth/realms/shoot-realm/tokens/access/codes

{"access_token":"eyJhbG", "expires_in":300, "refresh_expires_in":1800, "refresh_token":"eyJhbGciOiJ", "token_type":"bearer", "id_token":"eyJhb", "not-before-policy":0, "session-state":"57ea9394-e8d7-4200-bfa0-48f5b1eb0ad4"}

Add it to storage and remove decoding code for refresh token