oauth2.dev

expires_in

IETF

Registry Context

`expires_in` tells an OAuth client the access token's lifetime in seconds. RFC 6749 defines it for token responses and legacy implicit-grant authorization responses.

Technical Summary

RFC 6749 defines `expires_in` as a RECOMMENDED response parameter conveying the access token lifetime in seconds. If it is omitted, the authorization server SHOULD communicate the expiration time by another means or document the default. Its syntax is one or more digits. RFC 9700 advises clients not to use response types that issue access tokens in authorization responses, including the implicit grant, unless specified protections are in place.

When Used

Token responses and legacy implicit-grant authorization responses

Normative Requirements

Clients

SHOULD NOT
1
  1. RFC 9700 - Section 2.1.2

    use the implicit grant or another response type that issues access tokens in the authorization response..

    Condition: Unless access token injection is prevented and the specified token-leakage vectors are mitigated.

    clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response

SHOULD
1
  1. RFC 9700 - Section 2.1.2

    use the `code` response type or another response type that causes access tokens to be issued in the token response..

    Condition: Instead of using a response type that issues access tokens in the authorization response.

    Clients SHOULD instead use the response type code (i.e., authorization code grant type)

Authorization servers

SHOULD
2
  1. RFC 6749 - Section 4.2.2

    provide the expiration time by other means or document the default value..

    Condition: If `expires_in` is omitted from an implicit-grant access token response.

    If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.

  2. RFC 6749 - Section 5.1

    provide the expiration time by other means or document the default value..

    Condition: If `expires_in` is omitted from a successful access token response.

    If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.

RECOMMENDED
2
  1. RFC 6749 - Section 4.2.2

    include `expires_in` to convey the access token lifetime in seconds..

    Condition: When issuing an access token in a successful implicit-grant authorization response.

    expires_in RECOMMENDED. The lifetime in seconds of the access token.

  2. RFC 6749 - Section 5.1

    include `expires_in` to convey the access token lifetime in seconds..

    Condition: When issuing a successful access token response.

    expires_in RECOMMENDED. The lifetime in seconds of the access token.

Validation Guidance

warning

For a successful token response, warn if `expires_in` is absent and no alternate expiration mechanism or documented default exists.

warning

If validating a legacy implicit-grant response, warn if `expires_in` is absent and no alternate expiration mechanism or documented default exists.

error

Require an `expires_in` value to consist of one or more decimal digits, as specified by `expires-in = 1*DIGIT`.

warning

Warn when a client uses the implicit grant or another response type that returns an access token in the authorization response without the exception's required protections.

Security Notes

RFC 9700 - Section 2.1.2

Access tokens issued in authorization responses are vulnerable to leakage, replay, and injection. RFC 9700 recommends using authorization code or another response type that delivers access tokens through the token response.

Reference

Details

Entry Id
expires_in
Name
expires_in
Parameter Usage Location
authorization response, token response
Change Controller
IETF
Reference
RFC6749