Short-lived access tokens and long-lived refresh tokens
Typically services using this method will issue access tokens that last anywhere from several hours to a couple weeks. When the service issues the access token, it also generates a refresh token that never expires and returns that in the response as well. (Note that refresh tokens can’t be issued using the Implicit grant.)
This part is interesting because as I can see in this repository, currently it's not possible to generate a refresh token that never expires.
After some reading about oAuth2 topic : https://www.oauth.com/oauth2-servers/access-tokens/access-token-lifetime/
This part is interesting because as I can see in this repository, currently it's not possible to generate a refresh token that never expires.
https://github.com/thephpleague/oauth2-server/blob/eb91b4190e7f6169053ebf8ffa352d47e756b2ce/src/Grant/AbstractGrant.php#L152
What do you think about it ?