Spring Security Add expiresAt attribute for refresh token

Expected Behavior

When constructing an OAuth2AccessTokenResponse, if a refresh token is present, it should include an expiresAt value similar to the access token.

Current Behavior

Currently, the following Spring Security framework builder code omits the refresh token expiration.

public OAuth2AccessTokenResponse build() {
            Instant issuedAt = getIssuedAt();
            Instant expiresAt = getExpiresAt();
            OAuth2AccessTokenResponse accessTokenResponse = new OAuth2AccessTokenResponse();
            accessTokenResponse.accessToken = new OAuth2AccessToken(this.tokenType, this.tokenValue, issuedAt, expiresAt, this.scopes);
            if (StringUtils.hasText(this.refreshToken)) {
                accessTokenResponse.refreshToken = new OAuth2RefreshToken(this.refreshToken, issuedAt); //We should include expiresAt here
            }
            accessTokenResponse.additionalParameters = Collections
                .unmodifiableMap(CollectionUtils.isEmpty(this.additionalParameters) ? Collections.emptyMap()
                        : this.additionalParameters);
            return accessTokenResponse;
        }

Context

We are storing access and refresh tokens at the client side (for example, in a token cache or persistent store). To prevent stale or invalid tokens from accumulating, we want to implement a cleanup policy based on the refresh token’s expiry.