...
- Set the default expiration for Access Tokens to 1 day (the accepted amount of time for a user to continue to use an unexpired token even after revocation).
- Set the expiration time for Refresh Tokens to 2 weeks (analogous to our session cookies).
Note: Since a new refresh token is issued at every use, its lifetime indicates for how long a user need not use the app without being asked to log in again. As long as the user continues to use the app within the lifetime of the refresh token, they never need to log in again.
Client Rollout Plan
- Create new Client IDs for edX-iOS-OAuth-v2-with-refresh and edX-Android-OAuth-v2-with-refresh to be used for the new versions of the mobile clients that will have support for refresh tokens.
- Run a script to extend the access token expiration time for all old mobile Clients by 100 years.
- Publicize the release of the new mobile apps and encourage old users to upgrade for "better security". (Caveat: see Why not long-lived Access Tokens?)