From draft 23, section 10.3:
The client SHOULD request access tokens with the minimal scope and
lifetimenecessary. The authorization server SHOULD take the client
identity into
account when choosing how to honor the requested scope and lifetime, and
MAY issue an access token with a less rights
There is nothing explicit in draft 23 about requesting a scope lifetime. It
is as they say fuzzy.
You know that some people have used additional scopes like offline_access to
request longer lifetimes.
It may be reasonable to preconfigure something at the tAuthorization server
based on
