Wrong timezone is applied to expiry token

[wkleinheerenbrink]

Describe the bug The _get_token_from_authentication_server interprets the expire date wrong. The token is read from content['exp'] which is defined as NumericDate which in turn is defined as UNIX UTC Timestamp (seconds since epoch). The exp is converted to a date using utcfromtimestamp followed by make_aware to turn it into a timezone aware date. The latter uses the timezone as chosen for you project, while it should use the UTC timezone. Now given a timezone +2 and an access token which expires after an hour, the access token will be invalid because it's in the past.

To Reproduce

1. Setup identity provider that serves access token with ACCESS_TOKEN_EXPIRE_SECONDS set to 3600
2. Setup a resource server with timezone set to TIME_ZONE = "Europe/Amsterdam" (+2)
3. Request Access Token and try to access Resource Server
4. Access Token is always expired

Expected behavior Access token is invalid

Version django-oauth-toolkit==2.3.0

• [x] I have tested with the latest published release and it's still a problem.
• [x] I have tested with the master branch and it's still a problem.

Additional context It's rather easy to fix changing:

- expires = make_aware(expires) if settings.USE_TZ else expires`
+ expires = make_aware(expires, timezone=pytz.UTC) if settings.USE_TZ else expires`

For backwards compatibility it would be better to has a setting which allows you to changes the timezone specifically for the expire token.