OAuth – The Good Parts - Anders Abel
Fleeting- External reference:
It is shown that the expiration time of the acess token is given IN the response metadata AND (generally) in the self-encoded access token.
This illustrates the fact that the access token is a bearer token and ID Tokens vs Access Tokens.
The client MUST read the expiration of the token in the response, not try to find it in the token itself.
There exist a librarie to implement a whole OpenID Connect client in a oauth web client, but he says that this is now discouraged and people SHOULD use BFF, as stated by the security best practices.
authorization server redirection and user experience