Add support for specifying the maximum lifetime of an access token

[impl]

This is based on #75, but when I went to write tests for it I found that this was actually generally applicable to any type of token, not just refresh tokens. So with this change, it's possible to specify an absolute maximum token validity time, capping any response returned by the authorization server.

CCing @RehmatGul0 for feedback, and note the API is slightly different than what you proposed. When writing a credential, instead of provider_options=token_expiry=1234, you will use maximum_expiry_seconds=1234.

[impl]

I'm going to go ahead and merge this, but if you have any concerns, feel free to leave them as comments or a review on this PR. I won't cut a formal release for a week or so from now so you can have time to test.