oauth2.dev

expired_token

IETF

Registry Context

An OAuth device authorization grant error indicating that the device_code has expired and the device authorization session has concluded.

Technical Summary

RFC 8628 Section 3.5 defines expired_token for device authorization grant token endpoint error responses. It indicates that the device_code has expired and the device authorization session has concluded.

When Used

In a device authorization grant token endpoint response when the device_code has expired.

Normative Requirements

Clients

MUST
1

  1. RFC 8628 - Section 3.5

    stop polling the token endpoint.

    Condition: When it receives expired_token, which is an error other than authorization_pending or slow_down.

    If the client receives an error response with any other error code, it MUST stop polling.

SHOULD
2

  1. RFC 8628 - Section 3.5

    wait for user interaction before restarting to avoid unnecessary polling.

    Condition: When commencing a new device authorization request after receiving expired_token.

    The client ... SHOULD wait for user interaction before restarting to avoid unnecessary polling.

  2. RFC 8628 - Section 3.5

    react appropriately to the error, for example by displaying an error to the user.

    Condition: When it receives expired_token and stops polling.

    [It] SHOULD react accordingly, for example, by displaying an error to the user.

MAY
1

  1. RFC 8628 - Section 3.5

    commence a new device authorization request.

    Condition: After receiving expired_token.

    The client MAY commence a new device authorization request.

Authorization servers

MUST NOT
1

  1. RFC 6749 - Section 5.2

    include characters outside the permitted error-parameter character set.

    Condition: When serializing the error parameter value.

    Values for the "error" parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.

REQUIRED
1

  1. RFC 6749 - Section 5.2

    include an error parameter containing a single ASCII error code.

    Condition: When returning a token endpoint error response.

    error REQUIRED. A single ASCII [USASCII] error code.

Validation Guidance

error

Verify that a device authorization grant token endpoint response uses the exact error value `expired_token` when the device_code has expired and the device authorization session has concluded.

warning

Verify that `expired_token` is used for device authorization grant token endpoint responses, as specified by RFC 8628 Section 3.5.

error

Verify that the client stops polling after receiving `expired_token`. A new device authorization request may be started, but the client should wait for user interaction before restarting.

Security Notes

RFC 8628 - Section 3.5

Waiting for user interaction before restarting avoids unnecessary polling after the device authorization session expires.

Reference

RFC8628 - Section 3.5

Details

Entry Id
expired_token
Name
expired_token
Usage Location
Token endpoint response
Protocol Extension
RFC8628
Change Controller
IETF
Reference
RFC8628 - Section 3.5