Somewhat for the purpose of educating myself, if a...
# http4k
d
Somewhat for the purpose of educating myself, if accessToken doesn’t have expiration, is it fair to make the token non-expirable? Rather than having some default less than Long.MAX? I’m looking at
expiry = it.expiresIn?.let { clock.instant().plusSeconds(it) } ?: MAX
here https://github.com/http4k/http4k/blob/249ad0c727f5f1cabae0b4d2c22af999a532722a/cor[…]tlin/org/http4k/security/oauth/client/clientFilterExtensions.kt
d
from the spec:
Copy code
expires_in (recommended) If the access token expires, the server should reply with the duration of time the access token is granted for.
Whilst recommending best practices, I don't think we can legitmately just make up a value here - we're trying to be unopinionated in the code except for following the spec
d
Yes, I understand that expires_in can be missing. What I mean is that using Long.MAX makes the client never refreshing the token again and I guess it will be stuck if the non-expirable token is revoked at some point 🤔
d
you assume that the server will support refresh tokens..
d
Maybe the server I’m integrating with is a bit broken, but I can see access token without expiry or refresh token.
d
then the server doesn't expire the tokens! you can modify it I think by passing something to modify the response