Expiry (exp) field inside access token is ignored

[sburton84]

Describe the bug When receiving an access token only the expires_in field in the OIDC response is honoured, if there is an exp field within the access token JWT itself this is ignored, which results in no expiry being stored if there is no expires_in field, even when the expiry is specified in the JWT.

To Reproduce Steps to reproduce the behavior:

1. Obtain a token response that has no expires_in field but has an exp field within the access_token JWT
2. Call getAccessTokenExpiration
3. See the result is null

Expected behavior getAccessTokenExpiration should return a non-null result containing the expiry from the exp field within the JWT.

[jeroenheijmans]

Related to #324 though I'm not sure if this was ever resolved or not? The comments there suggest so, but your repro suggests it doesn't...

[sburton84]

Ah, I didn't see that issue, it does sound like the same thing. It sounds like they just worked around the issue by using hasValidIdToken as well as hasValidAccessToken, but this is only a workaround as the two tokens aren't necessarily guaranteed to have the same expiration.