Access & ID token lifetimes (minutes) isn't taken into account
The OAuth 2.0 authorization code flow ignores the "Access & ID token lifetimes (minutes)" configuration. In the response's expiredon, the configuration is taken into account, but not in the accesstoken's payload (exp-property).
OAuth 2.0 authorization code flow means, that the granttype = authorizationcode.
"Access & ID token lifetimes (minutes)" configuration for the SignupIn flow: 1440 minutes
Time of the observation: 08/02/2019 12:03 (GMT+2)
Payload in the access_token:
Timestamp = 08/02/2019 12:02 (GMT+2)
Value in the response of the token-endpoint:
Timestamp = 08/03/2019 9:02 (UTC)
Current solution: As workaround, the "Access & ID token lifetimes (minutes)" configuration was set to the default value (60 minutes). Now the "exp" property in the accesstoken and the "expireson" property in the response match.