relax refresh tokens requirement?

[Sakurann]

I was surprised to find that FAPI does not mandate refresh tokens. maybe this profile should also relax mandating refresh tokens..

the use of refresh tokens instead of long-lived access tokens for both public and confidential clients is recommended.

[tlodderstedt]

Agree to reconsider. We should be very sure and clear why we think refresh tokens are needed.

In my opinion, refresh tokens can help to achieve a better UX in the following cases:

• Silent refresh of credentials, which is especially useful if the credential doesn't have a dynamic status management mechanisms. Given we will have that mechanism through the status list, we won't not necessarily need refresh tokens for this scenario.
• Obtaining fresh copies of a credential that shall be used on a per RP basis or as ephemeral credentials. I don't see a compelling alternative to refresh tokens for this scenario. Do perhaps, we can make the use/implementation of refresh tokens depending on the privacy requirements of the deployment.

[peppelinux]

I agree, in the italian impl profile we do not support the refresh token, as mentioned here

https://github.com/italia/eudi-wallet-it-docs/issues/154