From 82931f8ae8e24ba70b43e196f18d9e41ebb66215 Mon Sep 17 00:00:00 2001
From: PieterKas <90690777+PieterKas@users.noreply.github.com>
Date: Wed, 1 Oct 2025 14:21:29 +0100
Subject: [PATCH] Remove prohibition on returning expires_in and scope

See #202
---
 draft-ietf-oauth-transaction-tokens.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/draft-ietf-oauth-transaction-tokens.md b/draft-ietf-oauth-transaction-tokens.md
index 3f11f0d..383778d 100644
--- a/draft-ietf-oauth-transaction-tokens.md
+++ b/draft-ietf-oauth-transaction-tokens.md
@@ -595,7 +595,7 @@ A successful response to a Txn-Token Request by a Transaction Token Service is c
 * The `access_token` value MUST be the Txn-Token JWT
 * The `issued_token_type` value MUST bet set to `urn:ietf:params:oauth:token-type:txn_token`
 
-The Txn-Token Response MUST NOT include the values `expires_in`, `refresh_token` and `scope`
+The Txn-Token Response MUST NOT include the `refresh_token` value.
 
 {{figtxtokenresponse}} shows a non-normative example of a Txn-Token Response.
 
@@ -666,8 +666,6 @@ A Txn-Token is not resistant to replay attacks. A long-lived Txn-Token therefore
 
 Because Txn-Tokens are short-lived, the Txn-Token response from the Txn-Token service does not contain the `refresh_token` field. A Txn-Token cannot be issued by presenting a `refresh_token`.
 
-The `expires_in` field of the OAuth 2.0 Token Exchange specification {{RFC8693}} is not used in Txn-Token responses since the issued token has an `exp` field, which indicates the token lifetime.
-
 ## Access Tokens
 When creating Txn-Tokens, the Txn-Token MUST NOT contain the Access Token presented to the external endpoint. If an Access Token is included in a Txn-Token, an attacker may extract the Access Token from the Txn-Token, and replay it to any Resource Server that can accept that Access Token. Txn-Token expiry does not protect against this attack since the Access Token may remain valid even after the Txn-Token has expired.