ID Token에 rt_expires_at 클레임 추가

backend/internal/handler/auth_handler_dynamic_claims_test.go

@@ -36,6 +36,38 @@ func assertRefreshTokenExpiryClaimWithin(t *testing.T, claims map[string]any, is
 	assert.False(t, expiresAt.After(issuedBefore.Add(ttl).Add(time.Second)), "rt_expires_at should be before or equal to request end + ttl")
 }
 
+func TestHydraRefreshTokenTTL_DefaultAndFallback(t *testing.T) {
+	t.Run("uses explicit env value", func(t *testing.T) {
+		t.Setenv("HYDRA_REFRESH_TOKEN_TTL", "96h")
+		assert.Equal(t, 96*time.Hour, hydraRefreshTokenTTL())
+	})
+
+	t.Run("uses default when env is empty", func(t *testing.T) {
+		t.Setenv("HYDRA_REFRESH_TOKEN_TTL", "")
+		assert.Equal(t, defaultRefreshTokenTTL, hydraRefreshTokenTTL())
+	})
+
+	t.Run("uses default when env is invalid", func(t *testing.T) {
+		t.Setenv("HYDRA_REFRESH_TOKEN_TTL", "not-a-duration")
+		assert.Equal(t, defaultRefreshTokenTTL, hydraRefreshTokenTTL())
+	})
+
+	t.Run("uses default when env is non-positive", func(t *testing.T) {
+		t.Setenv("HYDRA_REFRESH_TOKEN_TTL", "0h")
+		assert.Equal(t, defaultRefreshTokenTTL, hydraRefreshTokenTTL())
+	})
+}
+
+func TestWithRefreshTokenExpiryClaim_UsesHydraRefreshTokenTTL(t *testing.T) {
+	t.Setenv("HYDRA_REFRESH_TOKEN_TTL", "36h")
+
+	issuedAt := time.Date(2026, time.June, 15, 14, 0, 0, 0, time.UTC)
+	claims := withRefreshTokenExpiryClaim(map[string]any{"email": "user@test.com"}, issuedAt)
+
+	assert.Equal(t, "user@test.com", claims["email"])
+	assert.Equal(t, issuedAt.Add(36*time.Hour).Unix(), claims["rt_expires_at"])
+}
+
 func TestBuildOidcClaimsFromTraits_DynamicClaims(t *testing.T) {
 	traits := map[string]any{
 		"email":     "user@baron.com",