...
The response to the POST request is a JSON object (MIME type "application/json") like this:
{
"access_token":<JWT>,
"3e8ec1a3d43c983b57df0616b498c04807b466e919999aa0f3f3aabca1dd48ccexpires_in":300,
"tokenrefresh_expires_typein":1800,
"Bearer"refresh_token":<REFRESH_TOKEN>,
"expirestoken_intype":"bearer",
"14400" "not-before-policy":1549438553,
"refreshsession_tokenstate":"db478a1b-3acd-4737-bcce-bf83bc0d9eda",
"fa5e931aa4cecfcf4ae3bebd9648aa14942d6c79f6c26ffa3bd44d1e106522bc"scope":"person email"
}The first field is the actual access token which should be kept on the server and never passed to the end user's browser. The token_type will always be "Bearer" in this implementation. The number of seconds that the token is valid is given in expires_in. A refresh_token field is only returned if the access_type in step A is set to "offline".
...