I'm using OAuth 2 with Forge Autodesk, they usually return tokens with expires_in: 3599.
If I get a token from storage and run

$token = new AccessToken($token);
if ($token->hasExpired()) {
    $this->refreshToken($token);
}

$accessToken->hasExpired() always return false, because on the construct the expiration date is calculated with timeNow + expires_in.
With this logic, the token will never expire, which is incorrect.

1. Is this logic incorrect?
2. Am I using OAuth wrong? Am I expected to always refresh the token before using it for the second time, even if it didn't expire?

Me and my buddies were checking this situation and we found out that instead of saving the token->getValues() (which has expires_in) to the DB, we should save the result of jsonSerialize(), which calculates the expires with the correct timestamp in seconds.
I think we can improve the documentation by adding this info, making it explicit, what do you think?