When creating with expires_at and no expiry, token expires after 1 minute

[iheanyi]

Looking through the code, the expiry for a JWT has no means of handling when the expires_at, expires_in, and expires options are set. In order to have them match, you must set both.

I'd expect that if options[:expiry] isn't defined, then it would be overwritten by the same value if expires_in or expires is set, or from options[:expires_at] - Time.current] if expires_at is set.

Environment details

• OS: macOS 12.5
• Ruby version: 3.1.2
• Gem name and version: signet, 0.17.0

Steps to reproduce

1. Create an OAuth2 client with an expires_at of 1.hour.from_now against a Google Cloud Endpoints API
2. Use token to make an authenticated API call
3. Get the error JWT validation failed: TIME_CONSTRAINT_FAILURE

Code example

email = service_account_email
service_account = JSON.parse(ENV["service_account_json"])

oauth = Signet::OAuth2::Client.new({
        expires_at: 1.hour.from_now,
        audience: "<redacted>",
        issuer: email,
        scope: "email",
        authorization_uri: "https://accounts.google.com/o/oauth2/auth",
        token_credential_uri: "https://www.googleapis.com/oauth2/v4/token",
        client_id: service_account["client_id"],
        signing_key: OpenSSL::PKey::RSA.new(service_account["private_key"]),
        sub: email,
      })

jwt = oauth.generate_jwt

http_client = Faraday.new(headers: { "Content-Type" => "application/json", "Authorization" => "Bearer #{@token}" }, request: { timeout: timeout }) do |f|
          f.request(:json)
end


res = http_client.get("https://cloudapiendpoint.com")

# Successful response here
puts res.success? # true

# Wait for 2-3 minutes (to mimic 60 seconds passing and the skew)

sleep(150)

res = http_client.get("https://cloudapiendpoint.com")

// Get the error here, we would expect to see this as a valid request
puts res.success? # false
puts JSON.parse(res.body) # You can see error output here.