Hi psv, This behavior you described is by OAuth 2 design, wasn't really CAS doing something weird.
For your above step, after your client get the *access_token*, you are *suppose to store it somewhere* (maybe in session or somewhere else), instead of throwing it away and getting a new access_token everytime. After you stored it, you can use the *stored access_token* and call to *OAuth user_info endpoint*, and get the user profile. So. then what is the "expires_in" stands for? It is stands for the *valid storing duration of each access_token*, after the duration, your access_token will be invalid, and need to call to */accessToken* to renew. Since this is OAuth behaivor, I highly doubt there are any setting to allow your described use case to come true. Actually, after you get a new acces_token, you can still use both the new and old one to get user profile. So I guess if you really don't want to store the access_token, just get a new one everytime is still valid, although kind of resiource intensive... Hope this helps! Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9ab31fc3-e930-4439-9ae3-f6c079d65c43%40apereo.org.
