Update AuthenticationToken to include an expiration date

[kevinchalet]

#698 (comment)

[Tratcher]

I don't recommend it.
A) It complicates the storage and access model when we go beyond KVP
B) Expiration information is not commonly available for most token types. E.g. For OAuth you only get an expiration for the access token, and only from some providers. I've never seen it for refresh tokens, etc..
C) The only way to know if a token is really valid is to use it.

[Eilon]

For the reasons @Tratcher mentions we are not planning to add this.

[kevinchalet]

I'm fine (though limiting AuthenticationToken to a simple KVP clearly limits the way we could extend it).

In this case, you should consider removing expires_in/expires_at from the new tokens stuff as it's definitely not an authentication token.

[Eilon]

@Tratcher ?

[Tratcher]

It's still informative. We included it in all the other incarnations (claims, etc.), I don't see why you'd push to drop it now.

[kevinchalet]

I don't see why you'd push to drop it now.

Because it's semantically wrong: an expiration date is not an authentication token. That said, I think it's worth keeping it somewhere, so why not storing it as a simple property? (instead of including it in the authentication tokens stuff)

[Tratcher]

It's harder to retrieve and flow with the tokens if you treat it as separate data.