...

Given the fact that our Authorization server (LMS) and Resource server (LMS) are one and the same (at this time), it is unclear whether having refresh tokens is a hard requirement for the edX mobile apps (at this time).  Furthermore, the current django implementation requires querying the database every time an access token is verified since they are randomly generated values and not self-contained signed values, so the performance argument doesn't hold water.  And since all tokens are kept in the database with foreign key relationships to the user, it would still be easy to centrally revoke all tokens associated with a user.

Note: Another point to note is that as the edX platform shifts from a monolith to a more distributed microservices architecture, we plan to use OAuth + JWTs and/or a variant of OpenIDConnect as our authentication framework.  With that, JWT tokens will also be present and most probably short-lived.

Proposal for Refreshing Tokens on edX mobile apps

...