Alex Osborne created AMBER-53:
---------------------------------
Summary: "expires_in" field in JSON responses should be a number
not a string
Key: AMBER-53
URL: https://issues.apache.org/jira/browse/AMBER-53
Project: Amber
Issue Type: Bug
Components: OAuth 2.0 - Authorization Server
Reporter: Alex Osborne
The JSON generated by Amber makes "expires_in" a string. For example this:
OAuthASResponse.tokenResponse(200)
.setTokenType("bearer")
.setAccessToken("sometoken")
.setExpiresIn("3600")
.buildJSONMessage()
.getBody()
Results in this JSON:
{
"expires_in":"3600",
"token_type":"bearer",
"access_token":"sometoken"
}
Whereas the examples in sections 4.1.4 and 4.3.3 of the OAuth 2.0 (draft 26)
spec suggest it should be a number:
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
https://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.1.4
https://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.3.3
Confusingly the spec actually uses "3600" in the body text, but I assume the
quotes are there to distinguish it as literal value rather than meaning it
should be a JSON string:
expires_in
RECOMMENDED. The lifetime in seconds of the access token. For
example, the value "3600" denotes that the access token will
expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the
expiration time via other means or document the default value.
https://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.2.2
https://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-5.1
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
