Under the context of Dynamic Client Registration, the Access Token field under OAuth2 Client > Advanced > Access Token, does not appear to enforce any form of expiry. Once the Access Token field is generated, you can wait the expiry time e.g. 6 minutes, then perform a client update REST request. See https://backstage.forgerock.com/docs/am/6.5/oauth2-guide/index.html#dynamic-management-update
- Create OIDC provider (Ensure Allow Open Dynamic Client Registration is disabled.)
- Create Master OAuth2 Client as described in https://backstage.forgerock.com/docs/am/6.5/oauth2-guide/index.html#register-oauth2-client-dynamic-access-token-example
- Register Dynamic Client described in the same link as step 2.
- Wait a generous amount of time for the Access Token to expire as per your config (either set at client level or if set to 0, then provider level). Perform a dynamic update using the provided Access Token under OAuth2 Client > Advanced > Access Token.
- The PUT update config request will be successful, even though the access token should be expired. A new Access Token will be generated in the field.
- Additional test: You can change a character in the Access Token in the request, make the same change in the OAuth2 Client settings - and the request will be successful still. Therefore it seems like the setting doesn't seem to be enforcing much validation here.