In the case where a token is valid when a call is made to Identity, but expires before we read and calculate that token's TTL, the token is cached for the configured amount of time. It should not get cached at all, since it has expired.
Corner Case - Token expires at 23:59:05. We pull the token at 23:59:04 and cache it with our own expiration. We then call identity to get groups. Token could potentially fail this call by expiring between calls.
We shouldn't cache the token because once we cache, we assume that token is valid and we stop calling identity.
We no longer cache this token.