There are very good reasons the expiry time is not prescribed as it should depend a lot on your backend (how and how often you validate access tokens) and who has them and the flows.
Questions you should ask (and evaluate corresponding threats):
1. How soon the access token stops working when corresponding refresh token is invalidated?
2. Does the Access token go through all over SSL and never shows up in logs? Where does it get stored?
If for 1, your system checks the access token against the refresh token every time it is used (on resource endpoints) then you may be able to issue longer access tokens (after considering 2). If access tokens are only verified with signature and timestamps then you want them short lived as there is a gap after a user invalidates the grant.
There are other use cases where the operation may last for hours (like large file uploads, or watching a movie), where you would want access token to be longer to accommodate most of the use cases where it shouldn't expire in the middle.
We have access tokens that last anywhere from minutes to years (different use cases and risks).
Thanks
Naveen