Describe the bug I'm facing an issue regarding the spring-authorization-server that depends on this bug fix.

When an access token is built using OAuth2AccessTokenResponse.Builder, the issuedAt and the expiresAt properties will be null because are private and the builder do not accepts those values. That's leading a problem in the response value expires_in which always has an incorrect calculation between the token's issuedAt and expiresAt.

To Reproduce and Expected behavior All the steps are the same as mentioned in this issue

Sample

A link to a repository with a minimal, reproducible sample.

Comment From: sjohnr

@douglas-DS thanks for reaching out and thanks for the sample! However, I don't see you customizing the token response for SAS so I'm not sure the sample relates directly to what you're reporting.

When an access token is built using OAuth2AccessTokenResponse.Builder, the issuedAt and the expiresAt properties will be null because are private and the builder do not accepts those values.

OAuth2AccessTokenResponse.Builder actually has the expiresIn() method which allows you to specify your own value for expires_in. If you would like to re-use an access token (as your sample does), you can build a new instance with a refreshed expires_in as follows:

OAuth2AccessToken accessToken = ...;
long expiresIn = ChronoUnit.SECONDS.between(Instant.now(), accessToken.getExpiresAt());
OAuth2AccessTokenResponse tokenResponse =
    OAuth2AccessTokenResponse.withToken(accessToken.getTokenValue())
        .expiresIn(expiresIn)
        ...
        .build();

I don't see any bug here, so I'm going to close this as answered. If I have misunderstood anything, please let me know.