Using the Oauth 2.0 Authorization Code Grant workflow, a client app receives Refresh Tokens with properties pwd_exp and pwd_url. Is there documentation available for these properties?
I understand what they represent: pwd_exp is the time in seconds remaining until the user's password expires, and pwd_url gives the URL where the user can change/reset his password.
The specific issue I have is that for a given user, it appears that the properties are present sometimes but not always. For example, for a user I created in an AAD instance, the property seems to be not sent immediately after the user changes his password and then reappears later.
It would nice to have guidance on the use of these properties, too. Should an app set a threshold on pwd_exp and send a user to pwd_url when the password expiration is "imminent" based on that threshold. If not that, then what exception should an app catch that indicates the password has expired?