Return expires_in in token endpoint's response.

[mohsinhijazee]

First of - brilliant piece of software with things distilled to the core.

One thing that I miss is that the OAuth spec recommends expires_in as part of the token endpoints response. Reference (not RFC) here. This allows lots of tooling (client libraries) to reuse the token expiry and refresh logic out of the box.

We already know the token expiry when we generate the token

async function generateTokens(/* all the params here */)
{

// Other stuff here....

 return {
      access: await new SignJWT({
        mode: "access",
        type: value.type,
        properties: value.properties,
        aud: value.clientID,
        iss: issuer(ctx),
        sub: value.subject,
      })
        .setExpirationTime(
          Math.floor((value.timeUsed ?? Date.now()) / 1000 + value.ttl.access),
        )
        .setProtectedHeader(
          await signingKey.then((k) => ({
            alg: k.alg,
            kid: k.id,
            typ: "JWT",
          })),
        )
        .sign(await signingKey.then((item) => item.private)),
      refresh: [value.subject, refreshToken].join(":"),
    }

}

It would be great if we include expires_in as part of the token endpoint's response. I can contribute a PR, don't have it though.

[thdxr]

yep this is a missing feature we need to add, would def take a PR