expires_ in
Registry Context
`expires_in` tells an OAuth client the access token's lifetime in seconds. RFC 6749 defines it for token responses and legacy implicit-grant authorization responses.
Technical Summary
RFC 6749 defines `expires_in` as a RECOMMENDED response parameter conveying the access token lifetime in seconds. If it is omitted, the authorization server SHOULD communicate the expiration time by another means or document the default. Its syntax is one or more digits. RFC 9700 advises clients not to use response types that issue access tokens in authorization responses, including the implicit grant, unless specified protections are in place.
When Used
Token responses and legacy implicit-grant authorization responses
Normative Requirements
Clients
RFC 9700 - Section 2.1.2
use the implicit grant or another response type that issues access tokens in the authorization response..
Condition: Unless access token injection is prevented and the specified token-leakage vectors are mitigated.
clients SHOULD NOT use the implicit grant (response type token) or other response types issuing access tokens in the authorization response
RFC 9700 - Section 2.1.2
use the `code` response type or another response type that causes access tokens to be issued in the token response..
Condition: Instead of using a response type that issues access tokens in the authorization response.
Clients SHOULD instead use the response type code (i.e., authorization code grant type)
Authorization servers
RFC 6749 - Section 4.2.2
provide the expiration time by other means or document the default value..
Condition: If `expires_in` is omitted from an implicit-grant access token response.
If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.
RFC 6749 - Section 5.1
provide the expiration time by other means or document the default value..
Condition: If `expires_in` is omitted from a successful access token response.
If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.
RFC 6749 - Section 4.2.2
include `expires_in` to convey the access token lifetime in seconds..
Condition: When issuing an access token in a successful implicit-grant authorization response.
expires_in RECOMMENDED. The lifetime in seconds of the access token.
RFC 6749 - Section 5.1
include `expires_in` to convey the access token lifetime in seconds..
Condition: When issuing a successful access token response.
expires_in RECOMMENDED. The lifetime in seconds of the access token.
Validation Guidance
For a successful token response, warn if `expires_in` is absent and no alternate expiration mechanism or documented default exists.
If validating a legacy implicit-grant response, warn if `expires_in` is absent and no alternate expiration mechanism or documented default exists.
Require an `expires_in` value to consist of one or more decimal digits, as specified by `expires-in = 1*DIGIT`.
Warn when a client uses the implicit grant or another response type that returns an access token in the authorization response without the exception's required protections.
Security Notes
RFC 9700 - Section 2.1.2
Access tokens issued in authorization responses are vulnerable to leakage, replay, and injection. RFC 9700 recommends using authorization code or another response type that delivers access tokens through the token response.
Reference
Details
- Entry Id
expires_in - Name
expires_in - Parameter Usage Location
authorization response, token response- Change Controller
IETF- Reference
RFC6749