Introspection cache should use `exp` property for invalidation

[iperdomo]

When using token introspection, usually you get exp property to know when the token will expire.

exp: OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC,
indicating when this token will expire, as defined in JWT

See: https://tools.ietf.org/html/rfc7662#section-2.2

The current code uses a custom expires_in property for the TTL in the cache.

[iperdomo]

@zandbelt I'm new to Lua, but I would like to contribute this change if you think is a valid issue

[zandbelt]

The code for token introspection pre-dates this spec and conforms (at least) to Ping Identity's and Google's vendor-specific introspection protocols.

I would indeed be good to add support for RFC7662 based introspection. A PR is welcome if it maintains functional backwards compatibility (although we may have to change the defaults). I guess an option that specifies the name of the expiry claim would be useful, see here for a similar setting in mod_auth_openidc:
https://github.com/pingidentity/mod_auth_openidc/blob/master/auth_openidc.conf#L256