Hi psv, This behavior you described is by OAuth 2 design, wasn't really CAS doing something weird.
For your above step, after your client get the *access_token*, you are *suppose to store it somewhere* (maybe in session or somewhere else), instead of throwing it away and getting a new access_token everytime. After you stored it, you can use the *stored access_token* and call to *OAuth user_info endpoint*, and get the user profile. So. then what is the "expires_in" stands for? It is stands for the *valid storing duration of each access_token*, after the duration, your access_token will be invalid, and need to call to */accessToken* to renew. Since this is OAuth behaivor, I highly doubt there are any setting to allow your described use case to come true. Actually, after you get a new acces_token, you can still use both the new and old one to get user profile. So I guess if you really don't want to store the access_token, just get a new one everytime is still valid, although kind of resiource intensive... Hope this helps! Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9ab31fc3-e930-4439-9ae3-f6c079d65c43%40apereo.org.