[
https://issues.apache.org/jira/browse/CXF-4834?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13581382#comment-13581382
]
Sergey Beryozkin commented on CXF-4834:
---------------------------------------
"expires_in" is actually reported by default - the reason this can be made
optional is that OAuth2 says it is an optional parameter. I think if the admin
decides (mostly for security reasons I guess) not to report it then the client,
upon receiving 401 from the resource server, will need to request a new one (by
repeating the original flow where this token was acquired) or use a refresh
token grant to refresh a token; I think realistically, what this parameter can
really help the client with, is to avoid a futile attempt to request a resource
when a token has already expired - so this is mostly allows for an
optimization; of for the client-driven revocation, with the latest token
revocation draft
> AccessTokenService not include issuedAt on ClientAccessToken
> ------------------------------------------------------------
>
> Key: CXF-4834
> URL: https://issues.apache.org/jira/browse/CXF-4834
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.7.3
> Reporter: David
> Priority: Minor
> Fix For: 2.7.3
>
>
> I'm currently using ClientAccessToken AccessTokenService and is not included
> issuedAt value is always -1. Could you include the value of serverToken
> issuedAt in ClientAccessToken?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
