Hi,
I might be misunderstanding the OAuth 2.0 spec (part 5.1, "expires_in"
property), but I understand that the timeout of the access token is a hard
one (amount of time between creation and expiration).
Am I right ?
Can we have a multiple use timeout ? A sliding window timeout ? Or a
combinatio
It's a hint to the client of when the token will probably expire. There was a
lot of discussion on what the right way to go was and there were several
"camps" on the right strategy choice would be, but in the end a very simple
solution was chosen. Most folks agreed that having more than one wa
A token can always expire in less than that time.
I have seen deployments that use sliding windows and single use access tokens.
In those cases the "expires_in" is sent as a Max time before the token will
expire.
A client always needs to be prepared that a token will have been revoked or
exp
