[security:low] Access token expiration time is not enforced on userinfo or OAuth handler
The manager offers a
oidcRPMetaDataOptionsAccessTokenExpiration option to control the lifetime of Access tokens. However, in the current state of the code, setting this option to a low value does not expire access tokens any faster.
Whatever value is put in there, the access token will expire at the end of the global session timeout.
Applying the usual correction factor to _utime when creating the access token would work. But
- having an access token that lasts longer than the user session will not work
- the way purgeCentralCache works really should be modified to avoid having to fake the creation timestamp like we do currently, maybe a _endTime field should be added instead?