From 86a9ad394c4d0bdf402092c44b20c4f19b31bb10 Mon Sep 17 00:00:00 2001
From: Olivier 'reivilibre <oliverw@matrix.org>
Date: Mon, 17 Mar 2025 09:39:52 +0000
Subject: [PATCH 1/2] Add `expires_in` to introspection responses

Closes #4224

Corresponds to: https://github.com/element-hq/synapse/pull/18231
---
 crates/handlers/src/oauth2/introspection.rs | 9 +++++++++
 crates/oauth2-types/src/requests.rs         | 4 ++++
 2 files changed, 13 insertions(+)

diff --git a/crates/handlers/src/oauth2/introspection.rs b/crates/handlers/src/oauth2/introspection.rs
index 421e10cbb..f67676720 100644
--- a/crates/handlers/src/oauth2/introspection.rs
+++ b/crates/handlers/src/oauth2/introspection.rs
@@ -151,6 +151,7 @@ const INACTIVE: IntrospectionResponse = IntrospectionResponse {
     username: None,
     token_type: None,
     exp: None,
+    expires_in: None,
     iat: None,
     nbf: None,
     sub: None,
@@ -281,6 +282,9 @@ pub(crate) async fn post(
                 username,
                 token_type: Some(OAuthTokenTypeHint::AccessToken),
                 exp: access_token.expires_at,
+                expires_in: access_token
+                    .expires_at
+                    .map(|expires_at| expires_at.signed_duration_since(clock.now()).num_seconds()),
                 iat: Some(access_token.created_at),
                 nbf: Some(access_token.created_at),
                 sub,
@@ -341,6 +345,7 @@ pub(crate) async fn post(
                 username,
                 token_type: Some(OAuthTokenTypeHint::RefreshToken),
                 exp: None,
+                expires_in: None,
                 iat: Some(refresh_token.created_at),
                 nbf: Some(refresh_token.created_at),
                 sub,
@@ -414,6 +419,9 @@ pub(crate) async fn post(
                 username: Some(user.username),
                 token_type: Some(OAuthTokenTypeHint::AccessToken),
                 exp: access_token.expires_at,
+                expires_in: access_token
+                    .expires_at
+                    .map(|expires_at| expires_at.signed_duration_since(clock.now()).num_seconds()),
                 iat: Some(access_token.created_at),
                 nbf: Some(access_token.created_at),
                 sub: Some(user.sub),
@@ -487,6 +495,7 @@ pub(crate) async fn post(
                 username: Some(user.username),
                 token_type: Some(OAuthTokenTypeHint::RefreshToken),
                 exp: None,
+                expires_in: None,
                 iat: Some(refresh_token.created_at),
                 nbf: Some(refresh_token.created_at),
                 sub: Some(user.sub),
diff --git a/crates/oauth2-types/src/requests.rs b/crates/oauth2-types/src/requests.rs
index 0b452ff72..a4246e9b4 100644
--- a/crates/oauth2-types/src/requests.rs
+++ b/crates/oauth2-types/src/requests.rs
@@ -767,6 +767,10 @@ pub struct IntrospectionResponse {
     #[serde_as(as = "Option<TimestampSeconds>")]
     pub exp: Option<DateTime<Utc>>,
 
+    /// Relative timestamp indicating when the token will expire,
+    /// in seconds from the current instant.
+    pub expires_in: Option<i64>,
+
     /// Timestamp indicating when the token was issued.
     #[serde_as(as = "Option<TimestampSeconds>")]
     pub iat: Option<DateTime<Utc>>,

From 910630c9b8c3e9c10a31c1751fa9ebb3dc4855f2 Mon Sep 17 00:00:00 2001
From: Olivier 'reivilibre <oliverw@matrix.org>
Date: Mon, 17 Mar 2025 10:29:54 +0000
Subject: [PATCH 2/2] Use `DurationSeconds`

---
 crates/handlers/src/oauth2/introspection.rs | 4 ++--
 crates/oauth2-types/src/requests.rs         | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/crates/handlers/src/oauth2/introspection.rs b/crates/handlers/src/oauth2/introspection.rs
index f67676720..608871e54 100644
--- a/crates/handlers/src/oauth2/introspection.rs
+++ b/crates/handlers/src/oauth2/introspection.rs
@@ -284,7 +284,7 @@ pub(crate) async fn post(
                 exp: access_token.expires_at,
                 expires_in: access_token
                     .expires_at
-                    .map(|expires_at| expires_at.signed_duration_since(clock.now()).num_seconds()),
+                    .map(|expires_at| expires_at.signed_duration_since(clock.now())),
                 iat: Some(access_token.created_at),
                 nbf: Some(access_token.created_at),
                 sub,
@@ -421,7 +421,7 @@ pub(crate) async fn post(
                 exp: access_token.expires_at,
                 expires_in: access_token
                     .expires_at
-                    .map(|expires_at| expires_at.signed_duration_since(clock.now()).num_seconds()),
+                    .map(|expires_at| expires_at.signed_duration_since(clock.now())),
                 iat: Some(access_token.created_at),
                 nbf: Some(access_token.created_at),
                 sub: Some(user.sub),
diff --git a/crates/oauth2-types/src/requests.rs b/crates/oauth2-types/src/requests.rs
index a4246e9b4..631b33309 100644
--- a/crates/oauth2-types/src/requests.rs
+++ b/crates/oauth2-types/src/requests.rs
@@ -769,7 +769,8 @@ pub struct IntrospectionResponse {
 
     /// Relative timestamp indicating when the token will expire,
     /// in seconds from the current instant.
-    pub expires_in: Option<i64>,
+    #[serde_as(as = "Option<DurationSeconds<i64>>")]
+    pub expires_in: Option<Duration>,
 
     /// Timestamp indicating when the token was issued.
     #[serde_as(as = "Option<TimestampSeconds>")]