Remove special treatment of nonstandard `expires_at` parameter

[JonathanHuot]

It seems expires_at parameter has been introduced for the sake of simplicity for implementors, but it is not standard with RFC.

I have checked majors cloud-providers, Google, Facebook, they are not using this. Only Azure uses expires_on and the format is the same (UNIX timestamp).

I suggest to remove expires_at in the oauthlib framework for 3.x.x. Anyone ?

For implicit see: https://github.com/oauthlib/oauthlib/blob/3eaf962311dfbc566dbfa66a988e0331b91184be/oauthlib/oauth2/rfc6749/parameters.py#L285-L286

For token see: https://github.com/oauthlib/oauthlib/blob/3eaf962311dfbc566dbfa66a988e0331b91184be/oauthlib/oauth2/rfc6749/parameters.py#L372-L373

Note also that it will require extra work in few upstream libraries because they have some unittests using this field: e.g. @singingwolfboy flask-dance : https://github.com/singingwolfboy/flask-dance/search?q=expires_at&unscoped_q=expires_at

[singingwolfboy]

Thanks for notifying me about this proposed change. If expires_at is not standard with the RFC, then I agree that it should be removed from oauthlib. It means Flask-Dance has to do a bit more work, but I'm OK with that. 👍

[JonathanHuot]

WIP in branch, see: https://github.com/oauthlib/oauthlib/compare/568-remove-expires_at

Note that the impacts on flask-dance and requests-oauthlib are not negigeable, so I'd suggest to move it to 4.0.0 to not block the 3.0.0 release to happen.