Identifying android.app.ServiceConnectionLeaked exceptions in logcat output points to missing missing call to AuthorizationService.dispose() calls to clean up bindings to net.openid.appauth.browser.CustomTabManager.
This seems to be at least part of the cause of issue #102 (closed). Local testing continues, but testing these patches for four days, the submitter has not been forced to reauthenticate. Issue #102 (closed) has been hard to reproduce, so this may not be a final fix. But we think it deserves additional testing.
Note: the submitter is neither an Android, nor a Kotlin, developer. But he has been able to reproduce the token expiration fairly regularly, often with overnight testing in the AndroidStudio emulator. Please review the patch with this inexperience in mind.
Inspiration for third patch (Close AuthenticationService leak): service-leak.log)
Inspiration for second patch (Suppress update call in callback exception path): auth-exceptions.log. The extra exception detail in this log comes from the first patch (Embellish exception reporting).