ramosbugs · lovasoa · Oct 21, 2025
diff --git a/src/helpers.rs b/src/helpers.rs
@@ -1,4 +1,5 @@
 use serde::de::value::SeqAccessDeserializer;
+use serde::de::Visitor;
 use serde::ser::{Impossible, SerializeStructVariant, SerializeTupleVariant};
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
 use serde_json::Value;
@@ -357,6 +358,57 @@ pub fn variant_name<T: Serialize>(t: &T) -> &'static str {
     t.serialize(VariantName).unwrap()
 }
 
+/// Serde deserializer for an optional u64 that may be represented as a string or integer.
+///
+/// Some OAuth2 providers (e.g., Azure) return the `expires_in` field as a string instead
+/// of an integer. This function accepts both formats.
+///
+/// # Example
+///
+/// Both of these JSON values will deserialize successfully:
+///
+///  * `{"expires_in": 3600}` - integer format
+///  * `{"expires_in": "3600"}` - string format (Azure)
+pub fn deserialize_optional_u64_or_string<'de, D>(deserializer: D) -> Result<Option<u64>, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    struct StringOrInt;
+
+    impl<'de> Visitor<'de> for StringOrInt {
+        type Value = Option<u64>;
+
+        fn expecting(&self, formatter: &mut std::fmt::Formatter) -> std::fmt::Result {
+            formatter.write_str("string or unsigned integer")
+        }
+
+        fn visit_str<E>(self, value: &str) -> Result<Self::Value, E>
+        where
+            E: serde::de::Error,
+        {
+            Ok(Some(
+                value.parse::<u64>().map_err(serde::de::Error::custom)?,
+            ))
+        }
+
+        fn visit_u64<E>(self, value: u64) -> Result<Self::Value, E>
+        where
+            E: serde::de::Error,
+        {
+            Ok(Some(value))
+        }
+
+        fn visit_none<E>(self) -> Result<Self::Value, E>
+        where
+            E: serde::de::Error,
+        {
+            Ok(None)
+        }
+    }
+
+    deserializer.deserialize_any(StringOrInt)
+}
+
 #[cfg(test)]
 mod tests {
     use serde::Deserialize;

diff --git a/src/token/mod.rs b/src/token/mod.rs
@@ -605,6 +605,10 @@ where
     #[serde(deserialize_with = "crate::helpers::deserialize_untagged_enum_case_insensitive")]
     token_type: TT,
     #[serde(skip_serializing_if = "Option::is_none")]
+    /// The lifetime in seconds of the access token. Should be an integer according to the RFC,
+    /// but some providers such as Azure AD return a string.
+    #[serde(default)]
+    #[serde(deserialize_with = "crate::helpers::deserialize_optional_u64_or_string")]
     expires_in: Option<u64>,
     #[serde(skip_serializing_if = "Option::is_none")]
     refresh_token: Option<RefreshToken>,

diff --git a/src/token/tests.rs b/src/token/tests.rs
@@ -1239,3 +1239,46 @@ fn test_extension_serializer() {
         serialized,
     );
 }
+
+#[test]
+fn test_exchange_code_with_expires_in_as_string() {
+    // See https://feedback.azure.com/d365community/idea/7772fd95-26e6-ec11-a81b-0022484ee92d
+    let client = BasicClient::new(ClientId::new("aaa".to_string()))
+        .set_client_secret(ClientSecret::new("bbb".to_string()))
+        .set_auth_uri(AuthUrl::new("https://example.com/auth".to_string()).unwrap())
+        .set_token_uri(TokenUrl::new("https://example.com/token".to_string()).unwrap());
+
+    let token = client
+        .exchange_code(AuthorizationCode::new("ccc".to_string()))
+        .request(&mock_http_client(
+            vec![
+                (ACCEPT, "application/json"),
+                (CONTENT_TYPE, "application/x-www-form-urlencoded"),
+                (AUTHORIZATION, "Basic YWFhOmJiYg=="),
+            ],
+            "grant_type=authorization_code&code=ccc",
+            None,
+            Response::builder()
+                .status(StatusCode::OK)
+                .header(
+                    CONTENT_TYPE,
+                    HeaderValue::from_str("application/json").unwrap(),
+                )
+                .body(
+                    "{\
+                       \"access_token\": \"12/34\", \
+                       \"token_type\": \"bearer\", \
+                       \"expires_in\": \"3600\"\
+                       }"
+                    .to_string()
+                    .into_bytes(),
+                )
+                .unwrap(),
+        ))
+        .unwrap();
+
+    assert_eq!("12/34", token.access_token().secret());
+    assert_eq!(BasicTokenType::Bearer, *token.token_type());
+    assert_eq!(3600, token.expires_in().unwrap().as_secs());
+    assert!(token.refresh_token().is_none());
+}