refresh and access tokens should not have the same lifespan

[manishahluwalia]

Is your feature request related to a problem? Please describe.

It is common oauth2 practice that when both access and refresh tokens are issued, the refresh token has a longer expiration than the access token. In fact, google mentions this as the recommendation: https://cloud.google.com/apigee/docs/api-platform/antipatterns/oauth-long-expiration#:~:text=A%20good%20starting%20point%20for,lifetime%20of%20the%20access%20tokens.

Set the expiration time for refresh tokens in such a way that it is valid for a multiple of the lifetime of the access tokens

When authlib issues both tokens, it gives them both the same expiration time, since it ONLY keys off the grant_type and does not take token type into consideration. You can see it in the response which has fields for access_token, refresh_token, and a single expires_in.

Describe the solution you'd like

expiration settings should allow for different token lifetimes to be specified for different types.

Backward compatibility could be maintained (e.g. if the expiration setting is an integer for old behavior, or a dict for token type specific expiration settings)