currently it seems the AS alone is responsible for deciding on the expires_in value for auth_req_id.
Talking through possible use cases it seems like often the client is going to have a better idea on what a useful auth_req_id lifetime might be. For example, if the user is trying to make an immediate payment in a store, an auth_req_id expiry is likely to be single-digit minutes.
If the client is trying to schedule a payment itself (eg. a weekly auto sweep into a savings account) it would be quite reasonable to give the user 24 hours or more to authorise the payment.
I'd hence be tempted to add a "requested_auth_req_id_expiry" (or perhaps something with a less clumsy name) parameter to the authentication request.