This is a sample response from Azure B2C token endpoint
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN...",
"token_type": "Bearer",
"not_before": 1549647431,
"expires_in": 3600,
"expires_on": 1549651031,
"resource": "f2a76e08-93f2-4350-833c-965c02483b11",
"profile_info": "eyJ2ZXIiOiIxLjAiLCJ0aWQiOiJjNjRhNGY3ZC0zMDkxLTRjNzMtYTcyMi1hM2YwNjk0Z..."
}
What is the point of not_before
, expires_in
, and expires_on
? The token is already time limited.
Bonus points for figuring out resource
and profile_info
which are probably some MSFT specific crud that they didn't even care to explain.
Expires_in is OAuth specific and is recommended in the RFC RFC 6749
expires_on seems to be the same as a unix-timestamp
Resource is probably the ClientId? and Profile-Info an IdToken? But I am just guessing these two.