You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The changed behavior of accessTokenLifetime is a undocumented breaking
change in 3.0.
The old behavior was spec-compliant and explicitly documented as an
advertised fature in the CHANGELOG entry for 1.5.0, so a "Breaking Change"
notice is warranted.
The spec is clear that the expiration date is *recommended*, not required.
Ref: https://tools.ietf.org/html/rfc6749#section-5.1
Copy file name to clipboardExpand all lines: docs/misc/migrating-v2-to-v3.rst
+5-1Lines changed: 5 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -40,7 +40,11 @@ The following server options can be set when instantiating the OAuth service:
40
40
* `allowExtendedTokenAttributes`: **default false** Allows additional attributes (such as `id_token`) to be included in token responses.
41
41
* `requireClientAuthentication`: **default true for all grant types** Allow ability to set client/secret authentication to `false` for a specific grant type.
42
42
43
-
The following server options have been removed in v3.0.0
43
+
The following server options have changed behavior in v3.0.0:
44
+
45
+
* `accessTokenLifetime` can no longer be set to `null` to indicate a non-expiring token. The recommend alternative is to set accessTokenLifetime to a high value.
46
+
47
+
The following server options have been removed in v3.0.0:
44
48
45
49
* `grants`: **removed** (now returned by the `getClient` method).
46
50
* `debug`: **removed** (not the responsibility of this module).
0 commit comments