From 51a02c6d99ee1a563a59e7931cca007c41d895cc Mon Sep 17 00:00:00 2001 From: Mark Stosberg Date: Fri, 22 Jun 2018 16:49:50 -0400 Subject: [PATCH] docs: Add breaking change to 3.0 migration guide. The changed behavior of accessTokenLifetime is a undocumented breaking change in 3.0. The old behavior was spec-compliant and explicitly documented as an advertised fature in the CHANGELOG entry for 1.5.0, so a "Breaking Change" notice is warranted. The spec is clear that the expiration date is *recommended*, not required. Ref: https://tools.ietf.org/html/rfc6749#section-5.1 --- docs/misc/migrating-v2-to-v3.rst | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/misc/migrating-v2-to-v3.rst b/docs/misc/migrating-v2-to-v3.rst index 5a3ec6431..199de9383 100644 --- a/docs/misc/migrating-v2-to-v3.rst +++ b/docs/misc/migrating-v2-to-v3.rst @@ -40,7 +40,11 @@ The following server options can be set when instantiating the OAuth service: * `allowExtendedTokenAttributes`: **default false** Allows additional attributes (such as `id_token`) to be included in token responses. * `requireClientAuthentication`: **default true for all grant types** Allow ability to set client/secret authentication to `false` for a specific grant type. -The following server options have been removed in v3.0.0 +The following server options have changed behavior in v3.0.0: + + * `accessTokenLifetime` can no longer be set to `null` to indicate a non-expiring token. The recommend alternative is to set accessTokenLifetime to a high value. + +The following server options have been removed in v3.0.0: * `grants`: **removed** (now returned by the `getClient` method). * `debug`: **removed** (not the responsibility of this module).