You will need some custom pre-auth middleware that checks for the existence of an Authorization header, if this header is present and contains an OPIDC ID token, then it just returns, if however the header is missing, it can then redirect to the login page.
Unfortunately that's as far as it goes, if the user's OIDC ID token is invalid and Tyk's auth middleware bounces it there's nothing that can be done about the response (except customising it), it will not redirect. To do that you would need to completely replace the OIDC auth middleware with your own rich plugin (which while possible might be overkill).
However, you could check the claims of the inbound ID token (expiry etc.) to make sure it's valid as a soft pre-check without doing the crypto (so the inital check trusts they are valid, and then Tyk does the hard check with the signature/key)
The docs for writing these kinds of plugins is here they are actively being worked on and will update in 2017 with a more complete example.