According to the specification, refresh_token is optional. A client requiring it is non conforming. Extra fields are indirectly allowed "typically along with some additional properties about the authorization."   So having both "token" and "access_token" is fine according to the standard but I assume Hyrum's law applies as well.       ... Meer weergeven