ID Token에 rt_expires_at 클레임 추가

backend/internal/handler/auth_handler.go

@@ -86,6 +86,7 @@ const (
 	linkResendCooldown     = 60 * time.Second
 	prefixDrySend          = "dry_send:"
 	headlessJWKSFetchTTL   = 5 * time.Second
+	defaultRefreshTokenTTL = 30 * 24 * time.Hour
 )
 
 type AuthHandler struct {
@@ -1244,9 +1245,31 @@ func withOidcSessionMetadata(claims map[string]any, sessionID string) map[string
 	return claims
 }
 
+func hydraRefreshTokenTTL() time.Duration {
+	raw := strings.TrimSpace(os.Getenv("HYDRA_REFRESH_TOKEN_TTL"))
+	if raw == "" {
+		return defaultRefreshTokenTTL
+	}
+	ttl, err := time.ParseDuration(raw)
+	if err != nil || ttl <= 0 {
+		slog.Warn("invalid HYDRA_REFRESH_TOKEN_TTL, falling back to default", "value", raw, "default", defaultRefreshTokenTTL.String(), "error", err)
+		return defaultRefreshTokenTTL
+	}
+	return ttl
+}
+
+func withRefreshTokenExpiryClaim(claims map[string]any, issuedAt time.Time) map[string]any {
+	if claims == nil {
+		claims = map[string]any{}
+	}
+	claims["rt_expires_at"] = issuedAt.Add(hydraRefreshTokenTTL()).Unix()
+	return claims
+}
+
 func composeOIDCSessionClaims(client domain.HydraClient, traits map[string]any, scopes []string, tenantID string, sessionID string) map[string]any {
 	claims := buildOidcClaimsFromTraits(traits, scopes, tenantID)
 	claims = applyConfiguredIDTokenClaims(claims, client.Metadata)
+	claims = withRefreshTokenExpiryClaim(claims, time.Now())
 	return withOidcSessionMetadata(claims, sessionID)
 }