OAuth access token does not have an expiration

Summary

OAuth access tokens do not have an expiry.

Steps to reproduce

Create token according to GitLab as an OAuth Provider

curl -X POST -H "Content-Type: application/json" --data '{"grant_type":"password","username":"<username>","password":"<password>"}' https://gitlab.example.com/oauth/token

What is the current bug behavior?

According to the documentation, expires_in should be returned. However, when looking at the token info expires_in_seconds is set to null.

What is the expected correct behavior?

Should return expire_in value.

Relevant logs and/or screenshots

Token creation:

curl -k -X POST -H "Content-Type: application/json" --data "{\"grant_type\":\"password\",\"username\":\"<username>\",\"password\":\"<password>\"}" https://gitlab.example.com/oauth/token
{"access_token":"<access-token>","token_type":"bearer","refresh_token":"<refresh-token>","scope":"api","created_at":1522861703}

Token info:

curl -H "Authorization: Bearer <access-token>" \
     https://gitlab.example.com/oauth/token/info
{"resource_owner_id":1,"scopes":["api"],"expires_in_seconds":null,"application":{"uid":null},"created_at":1522861703}

Links

Customer ticket -> https://gitlab.zendesk.com/agent/tickets/93990 (internal)

Release Post MR --> gitlab-com/www-gitlab-com!89791 (merged)

Proposed Solution

1. Add new checkbox to the OAuth application form "Expire Access Token" (therefore this config exists on a per-application basis)
2. For any new application, this checkbox is enabled by default
3. When checkbox is enabled, expire access tokens in 2 hours
4. Update docs to recommend integrations refresh tokens at some interval (can we decide on the interval up front so integrations can build accordingly?)