fix(backend): return IdPOAuthAccessToken JWT timestamps in milliseconds (#8771)

Author: jacekradko

.changeset/idp-oauth-token-ms-timestamps.md

@@ -0,0 +1,5 @@
+---
+'@clerk/backend': patch
+---
+
+Return `IdPOAuthAccessToken` timestamps in milliseconds when an OAuth access token is verified as a JWT. The `expiration`, `createdAt`, and `updatedAt` fields were previously populated with the JWT's raw second-based `exp`/`iat` values, making them inconsistent with the same fields on `M2MToken` and with the values returned when the token is fetched from the API. Comparing `expiration` against `Date.now()` now behaves as expected. The `expired` flag was already computed correctly and is unaffected.

packages/backend/src/api/resources/IdPOAuthAccessToken.ts

@@ -57,9 +57,9 @@ export class IdPOAuthAccessToken {
       false,
       null,
       payload.exp * 1000 <= Date.now() - clockSkewInMs,
-      payload.exp,
-      payload.iat,
-      payload.iat,
+      payload.exp * 1000, // milliseconds: expiration, converted from JWT exp claim
+      payload.iat * 1000, // milliseconds: createdAt, converted from JWT iat claim
+      payload.iat * 1000, // milliseconds: updatedAt, no JWT equivalent, defaults to iat
     );
   }
 }

packages/backend/src/tokens/__tests__/verify.test.ts

@@ -407,6 +407,10 @@ describe('tokens.verifyMachineAuthToken(token, options)', () => {
       expect(data.type).toBe('oauth_token');
       expect(data.subject).toBe('user_2vYVtestTESTtestTESTtestTESTtest');
       expect(data.scopes).toEqual(['read:foo', 'write:bar']);
+      // Timestamps are exposed in milliseconds, matching M2MToken and the API JSON shape
+      expect(data.expiration).toBe(mockOAuthAccessTokenJwtPayload.exp * 1000);
+      expect(data.createdAt).toBe(mockOAuthAccessTokenJwtPayload.iat * 1000);
+      expect(data.updatedAt).toBe(mockOAuthAccessTokenJwtPayload.iat * 1000);
     });
 
     it('fails if JWT type is not at+jwt or application/at+jwt', async () => {