Azure AD /token endpoint returns expires_in as string which is causing OAuth MCP client compatibility issues

Question

Hi,

• We are developing an OAuth-compliant MCP - Model Context Protocol - server and using MCP Inspector as our OAuth and MCP client for integration and testing with Microsoft Entra ID. However when exchanging the authorization code at the /token endpoint, Azure AD returns the fields expires_in and ext_expires_in as strings instead of JSON numbers. Example response:

{     
      "token_type": "Bearer",     
      "expires_in": "3599",     
      "ext_expires_in": "3599",
      "access_token": "...",     
... }

• As a workaround, we implemented a proxy endpoint in our MCP server that forwards the /token request to Azure AD and after receiving the token response, we convert the **expires_in and ext_expires_in **fields from string to integer before returning the response to the client, and this is working fine.
• However, per the latest specification OAuth 2.1 draft specification, section 3.2.3 and 4.6.1:

"expires_in":  RECOMMENDED. A JSON number that represents the lifetime in seconds of the access token. For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated. If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.

This causes interoperability issues with clients and libraries (such as MCP Inspector) that follow the standard and expect a number.

• As far as i can see from other old question, that this is the default behavior and there is no option available to change the type from string to Int.

https://learn.microsoft.com/en-us/answers/questions/877384/azure-active-directory-b2c-authorization-code-flow

• Is there any way today to configure the data type ? or any plans to update the token response to return expires_in and ext_expires_in as JSON numbers, per OAuth 2.1 specification ?

Thanks,
Adil

Answer 1

Hi Mohamed Adil

You are correct Microsoft Entra ID returns the expires_in and ext_expires_in fields as strings rather than JSON numbers in the /token endpoint response.

Currently, there is no setting or configuration in either Microsoft Entra ID or Azure AD B2C that allows these fields to be returned as integers. This behavior is by design and is the default response format.

As of now, no update has been announced regarding changes to the token response format for expires_in or ext_expires_in.

However, a feature request has been submitted in the Azure Feedback Portal: Token response: Return expires_in as a number We encourage you to upvote and leave a comment to help prioritize this request.

Hope this helps. Do let us know if you any further queries.

Please remember to "Accept Answer" if answer helped you. This will help us as well as others in the community who might be researching similar questions.