If the iat claim is in the future at the time of the upgrade request, the server MUST reject the request.
If the exp claim is in the past at the time of the upgrade request (i.e., the token is already expired) the server MUST reject the request.
If the security token used to establish the session expires, the server MAY disconnect the session at any time. The server MUST NOT use a CloseSession message to do so. Before disconnecting the session, the server MUST send the EXPIRED_TOKEN ProtocolException.
Disconnection for this reason is considered an abnormal session termination, and the session survivability behaviors (as defined in this specification) MUST be observed. Observing these behaviors allows the client 1 hr. to reconnect the session with a valid token, without losing any session state.
Client is responsible to renew the token and pass the updated token to the server. Token renewal must be done in accordance with RFC6749, Section 6 (https://tools.ietf.org/html/rfc6749
Server must authenticate the renewed token, and update and honor the new expiration date.