Expected Behavior
Client is able to set the refreshToken to expire in given period
Current Behavior
Client held the refreshToken even though it is expired from server side
Context The server only grants refreshToken alive for 24 hours. The expireAt for refreshToken is null at client side so that the client is rejected by the server after 24 hours. Is it possible to pass expireAt to construct RefreshToken, e.g. set it expired in 23 hours
Comment From: sjohnr
@helanyao thanks for your interest in the project!
The short answer to your question is yes, it would be possible to pass the expiresAt parameter.
https://github.com/spring-projects/spring-security/blob/c719a8e4d42e4c3e0ec7fd283305a0d8a138519d/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/OAuth2RefreshToken.java#L55-L57
However, it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.