I have a bunch of tests using Google accounts as an identity provider with OAuth 2.0, which since December 5 have not been working with an error in the expires_inresponse field for an access token, which is no longer JSON Number, but String(I use grant_type=authorisation_code, but it should not have no value):
{
"access_token": "ya29.1gD56tBWtHW3K7oZ0FINTnsqa4VYiE2YGZeQXgJ4ID79E-mZxNWoyYi7pKrs_Vyxj8FZbuxh_RGTJw",
"token_type": "Bearer",
"expires_in": "3600",
"refresh_token": "1/dGjGYC7sDFaBwpdUVpkJP2mYFYTU8HAh7T6szsKGYTs"
}
I do not use the OAuth 2.0 client library, so I directly understand the content of JSON.
I noticed that both the OpenIDConnect pages and the OAuth2WebServer developer web pages were updated on December 5th.
Since there is no history, I could not clearly see what was changed, but I noticed that the marker endpoint URL (returned by the OpenID Connect Discovery endpoint) now has a path segment v3/.
After doing some googling on Google, I found an old endpoint ( https://accounts.google.com/o/oauth2/token ), and it seems that this endpoint is returning me the access token response expires_in, expressed as a JSON number.
After reading the OAuth 2.0 specification, it seems to me that it expires_inshould be expressed as Number, not String, so the new response format is not standard.
See RFC 6749, Section 4.1.4 and Appendix No. 14 for syntax expires_in(numbers only).
Google? ( OAuth 2.0 ) ( :))?