Why doesn’t OAuth2 directly include an expires_at timestamp in refresh token API?

Sibin_M_S · October 15, 2024, 12:45pm

Any reason the access token request response have a key called expires_at which isn’t present in the refresh token response. Why there’s such an inconsistency in the response

Access token response :
{‘scope’: [‘XXXXXXX’], ‘access_token’: ‘XXXXXXXXXXX’, ‘token_type’: ‘bearer’, ‘expires_in’: 86399, ‘refresh_token’: ‘XXXXXXXXXXX’, ‘expires_at’: 1728983888.6693249}

Refresh token response :
{‘scope’: ‘XXXXXXXXXXX’, ‘access_token’: ‘XXXXXXXXXXX’, ‘token_type’: ‘bearer’, ‘expires_in’: 86399, ‘refresh_token’: ‘XXXXXXXXXXX’}

TomScott · October 15, 2024, 5:55pm

Good morning!

That is actually an additional field we added beyond the specification for Access Tokens (of which there are more types than just provided by Authorization Code Grant internally) to match our previous provider response. I can look into getting it added to the Refresh Token response, but given it is already calculable by adding the response time to the expires_in I don’t know when it will get prioritized among our other work.

https://datatracker.ietf.org/doc/html/rfc6749#section-5.1

Sibin_M_S · October 16, 2024, 3:51am

Thanks for your reply. As you mentioned, it can be calculated using expires_in, but I was wondering why it was omitted in the refresh token API. I wanted to confirm if there are any additional use cases behind it.

Topic		Replies	Views
What are the expiry of Authorization Code I got from Request Permission API? API Q&A	4	664	October 16, 2018
Refresh token issue API Q&A	1	986	August 9, 2017
Old tokens expiring on refresh - Suggestion API Q&A enhancement-request	1	510	September 24, 2019
Get Access Token Time Left API Q&A	8	1361	March 31, 2019
Access token expiration after refreshing API Q&A access-token	10	2222	July 10, 2019

Why doesn’t OAuth2 directly include an expires_at timestamp in refresh token API?

Related topics