oauth2.dev

client_secret_expires_at

IESG

Registry Context

When an authorization server issues a client secret, the client information response is required to include `client_secret_expires_at`, indicating when the secret expires or using `0` if it does not expire.

Technical Summary

RFC 7591 defines `client_secret_expires_at` in the client information response. It is REQUIRED if `client_secret` is issued. Its value is the expiration time expressed as seconds since 1970-01-01T00:00:00Z, measured in UTC, or `0` if the secret will not expire.

When Used

Used in a dynamic client registration client information response when the authorization server issues a `client_secret`.

Normative Requirements

Authorization servers

REQUIRED
1
  1. RFC 7591 - Section 3.2.1

    include `client_secret_expires_at` in the client information response.

    Condition: if `client_secret` is issued

    `client_secret_expires_at` is "REQUIRED if \"client_secret\" is issued."

Validation Guidance

error

Reject a client information response that contains `client_secret` but omits `client_secret_expires_at`.

error

Validate that a nonzero value represents seconds from 1970-01-01T00:00:00Z, measured in UTC, until the expiration date and time.

info

Accept `0` to indicate that the client secret will not expire.

Reference

Details

Entry Id
client_secret_expires_at
Client Metadata Name
client_secret_expires_at
Client Metadata Description
Time at which the client secret will expire
Change Controller
IESG
Reference
RFC7591