Improved token expiration management

[leonid-s-usov]

For some reason DOT decided against using the proper OAuthLib way of dealing with token timeouts, and instead overrides the timeout during store_bearer_token in the validator. This approach makes it really difficult to dynamically change the token timeout depending on the request.

More than that, it is also not the way OAuthLib suggests this should be done: the "proper" way is to either override the OAuthLib token class, or simply pass token_expires_in parameter to the Server constructor (which will eventually get to the BearerToken constructor). This parameter may be a callable taking request as a parameter and returning the expiration time in seconds.

I suggest that instead (well, in a backward compatible manner) of today's ACCESS_TOKEN_EXPIRE_SECONDS setting we add an ACCESS_TOKEN_EXPIRES_IN, which may either be a number of seconds or a function taking request and returning seconds. Internally, this value will simply be passed in the Server constructor in the OAuthLibMixin.get_server

Another good outcome is that it will allow getting rid of this bad pattern and a pending TODO

[synasius]

Definitely something we need to address. can you provide a PR?

[leonid-s-usov]

Well.. The reason I wrote such a detailed description was that most probably this week and the weekend I will not be able to find time for this. It no one else does it until I find some time I will be glad to provide a PR.

[jleclanche]

See #368. This can be exposed at the same time.

[jleclanche]

I have a patch in issue/338 (3f321b7), but it's not actually working and I don't know why: https://travis-ci.org/evonove/django-oauth-toolkit/jobs/202563178

Ideas? @leonid-s-usov ?