...
An OAuth Relying Party application can use a granted access token until expiration. The timeout for access tokens is the smaller of the timeout value under "Server Security" on the main page of the SSO Management console (See Figure 3 in pageĀ Timeout configuration - SSO Timeout Configuration) and the Agent Application timeout value on the Agent Application configuration page (See Figure 4 in pageĀ Timeout configuration - SSO Timeout Configuration).
If the timeout setting of an OAuth agent application is set to 0 in the Management console, the session and the access token issued will immediately expire at the time of issue and the access token will be rejected when used at the userinfo endpoint.
The use of the userinfo endpoint is optional and unnecessary if there are no user attributes.
...