Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
The JSON generated by Amber makes "expires_in" a string. For example this:
OAuthASResponse.tokenResponse(200)
.setTokenType("bearer")
.setAccessToken("sometoken")
.setExpiresIn("3600")
.buildJSONMessage()
.getBody()
Results in this JSON:
{ "expires_in":"3600", "token_type":"bearer", "access_token":"sometoken" }Whereas the examples in sections 4.1.4 and 4.3.3 of the OAuth 2.0 (draft 26) spec suggest it should be a number:
{ "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" } https://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.1.4
https://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.3.3
Confusingly the spec actually uses "3600" in the body text, but I assume the quotes are there to distinguish it as literal value rather than meaning it should be a JSON string:
expires_in
RECOMMENDED. The lifetime in seconds of the access token. For
example, the value "3600" denotes that the access token will
expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the
expiration time via other means or document the default value.
https://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.2.2
https://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-5.1