Not OAuth2 compliant #684
Comments
|
From https://www.oauth.com/oauth2-servers/access-tokens/access-token-response/
So it's recommended to be this but not a hard requirement, so this doesn't make it non compliant. Secondly, though might not be the best thing you'd want, when you get the token just modify wherever you return it from, you don't have to return token itself, you can do whatever you please with it. const expires_in = token.accessTokenExpiresAt;
delete token.accessTokenExpiresAt;
return {...token, expires_in} |
|
I suppose it isn't non compliant when it comes to handling the access token itself. I would suggest that the expiration time be shared in a compliant way. It was confusing to have the time values included, but then not have them be recognized in the client. |
|
Actually... expiresAt is the time when it is expiring. So you need actually to subtract the current time from the expiresAt to get expires_in. |
I followed an example of using node-oauth2-server, and it seems the example is non-compliant with OAuth2 standards.
pedroetb/node-oauth2-server-example#10
When I return the json of the token, I get accessTokenExpiresAt instead of the expected expires_in
The text was updated successfully, but these errors were encountered: