oauth: readAndWatchSecret is not thread safe

[rgs1]

We should protect the client and token secrets with locks:

https://github.com/envoyproxy/envoy/blob/main/source/extensions/filters/http/oauth2/filter.h#L60

Report: https://envoyproxy.slack.com/archives/C78HA81DH/p1652217023289709

cc: @derekargueta @snowp @fishcakez @JuniorHsu

[snowp]

Typically we avoid locks here and instead post thread local updates - any reason why we'd need a lock here?

[rgs1]

Typically we avoid locks here and instead post thread local updates - any reason why we'd need a lock here?

No particular reason, message posting is probably fine (I think Matt just generally meant that this was thread unsafe, without prescribing a solution – I lazily transcribed that into an issue).