Somewhat for the purpose of educating myself, if accessToken doesn’t have expiration, is it fair to make the token non-expirable? Rather than having some default less than Long.MAX? I’m looking at

expiry = it.expiresIn?.let { clock.instant().plusSeconds(it) } ?: MAX

here https://github.com/http4k/http4k/blob/249ad0c727f5f1cabae0b4d2c22af999a532722a/cor[…]tlin/org/http4k/security/oauth/client/clientFilterExtensions.kt

from the spec:

expires_in (recommended) If the access token expires, the server should reply with the duration of time the access token is granted for.

Whilst recommending best practices, I don't think we can legitmately just make up a value here - we're trying to be unopinionated in the code except for following the spec

Yes, I understand that expires_in can be missing. What I mean is that using Long.MAX makes the client never refreshing the token again and I guess it will be stuck if the non-expirable token is revoked at some point 🤔

you assume that the server will support refresh tokens..

Maybe the server I’m integrating with is a bit broken, but I can see access token without expiry or refresh token.

then the server doesn't expire the tokens! you can modify it I think by passing something to modify the response