Open rmccue opened 7 years ago
See this IETF mailing list thread for typical times; access tokens at 1 hour and refresh tokens with no expiry seems decent to me.
On the oauth 1 plugin, I discuss making access token to post instead of options. See https://github.com/WP-API/OAuth1/issues/215#issuecomment-398117262 . If expirey is implemented here, it might be worth, doing the same. The post created / updated dates would be extremely useful to work out when tokens were created.
Access tokens need to support expiration, and refresh tokens need to be issued to clients during the regular flow.
https://tools.ietf.org/html/rfc6749#section-6