diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/IamOIDCTokenService.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/IamOIDCTokenService.java
index 38d8dacd0..51047da37 100644
--- a/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/IamOIDCTokenService.java
+++ b/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/profile/IamOIDCTokenService.java
@@ -64,6 +64,7 @@
 
 import it.infn.mw.iam.api.common.error.NoSuchAccountError;
 import it.infn.mw.iam.authn.util.Authorities;
+import it.infn.mw.iam.config.client_registration.ClientRegistrationProperties;
 import it.infn.mw.iam.persistence.model.IamAccount;
 import it.infn.mw.iam.persistence.repository.IamAccountRepository;
 
@@ -83,13 +84,14 @@ public class IamOIDCTokenService implements OIDCTokenService {
   private final ClientKeyCacheService encrypters;
   private final SymmetricKeyJWTValidatorCacheService symmetricCacheService;
   private final OAuth2TokenEntityService tokenService;
+  private final ClientRegistrationProperties clientProps;
 
   public IamOIDCTokenService(Clock clock, JWTProfileResolver profileResolver,
       IamAccountRepository accountRepository, JWTSigningAndValidationService jwtService,
       AuthenticationHolderRepository authenticationHolderRepository,
       ConfigurationPropertiesBean configBean, ClientKeyCacheService encrypters,
       SymmetricKeyJWTValidatorCacheService symmetricCacheService,
-      OAuth2TokenEntityService tokenService) {
+      OAuth2TokenEntityService tokenService, ClientRegistrationProperties clientProps) {
     this.clock = clock;
     this.profileResolver = profileResolver;
     this.accountRepository = accountRepository;
@@ -99,6 +101,7 @@ public IamOIDCTokenService(Clock clock, JWTProfileResolver profileResolver,
     this.encrypters = encrypters;
     this.symmetricCacheService = symmetricCacheService;
     this.tokenService = tokenService;
+    this.clientProps = clientProps;
   }
 
 
@@ -156,10 +159,13 @@ public JWT createIdToken(ClientDetailsEntity client, OAuth2Request request, Date
     idClaims.issueTime(issueTime);
     handleAuthTimestamp(client, request, idClaims);
 
-    if (client.getIdTokenValiditySeconds() != null) {
-      Date expiration =
-          new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L));
-      idClaims.expirationTime(expiration);
+    if (client.getIdTokenValiditySeconds() != null && client.getIdTokenValiditySeconds() > 0) {
+      idClaims.expirationTime(
+          new Date(System.currentTimeMillis() + (client.getIdTokenValiditySeconds() * 1000L)));
+    } else {
+      idClaims.expirationTime(
+          new Date(System.currentTimeMillis()
+              + (clientProps.getClientDefaults().getDefaultIdTokenValiditySeconds() * 1000L)));
     }
 
     String nonce = (String) request.getExtensions().get(NONCE);
diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/RegistrationAccessTokenTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/RegistrationAccessTokenTests.java
index b33eaa9c9..b3a447048 100644
--- a/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/RegistrationAccessTokenTests.java
+++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/api/client/RegistrationAccessTokenTests.java
@@ -24,6 +24,8 @@
 import static org.hamcrest.Matchers.not;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
 
+import java.text.ParseException;
+
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -32,6 +34,9 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 
+import com.nimbusds.jwt.JWT;
+import com.nimbusds.jwt.JWTParser;
+
 import io.restassured.RestAssured;
 import it.infn.mw.iam.api.client.management.service.ClientManagementService;
 import it.infn.mw.iam.api.common.client.RegisteredClientDTO;
@@ -69,7 +74,7 @@ public void setup() {
   }
 
   @Test
-  public void testRatWorkAsExpected() {
+  public void testRatWorkAsExpected() throws ParseException {
 
     String clientJson = ClientJsonStringBuilder.builder().scopes("openid").build();
     
@@ -87,6 +92,8 @@ public void testRatWorkAsExpected() {
     // @formatter:on
 
     assertThat(registerResponse.getRegistrationAccessToken(), notNullValue());
+    JWT jwt = JWTParser.parse(registerResponse.getRegistrationAccessToken());
+    assertThat(jwt.getJWTClaimsSet().getExpirationTime(), nullValue());
     assertThat(registerResponse.getScope(), not(empty()));
 
     RegisteredClientDTO getResponse =
diff --git a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IdTokenEnhancerTests.java b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IdTokenEnhancerTests.java
index 397d0cb37..6a011ed5f 100644
--- a/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IdTokenEnhancerTests.java
+++ b/iam-login-service/src/test/java/it/infn/mw/iam/test/oauth/IdTokenEnhancerTests.java
@@ -97,7 +97,7 @@ public void testEnhancedProfileClaimsOk() throws Exception {
     assertThat(token.getJWTClaimsSet().getClaim("preferred_username"), is(notNullValue()));
     assertThat(token.getJWTClaimsSet().getClaim("organisation_name"), is(notNullValue()));
     assertThat(token.getJWTClaimsSet().getClaim("groups"), is(notNullValue()));
-    
+    assertThat(token.getJWTClaimsSet().getExpirationTime(), is(notNullValue()));
   }
 
   @Test