Do we need to have seconds at all for token timeouts? Removing seconds from token would make it simpler, but also make sure no one sets timeouts that are to short (see https://issues.jboss.org/browse/KEYCLOAK-1341)