Token expiration and implications for mobile #8
Description
From what I've seen so far, tokens will expire by default after 7 days.
Do we want to enforce token expiration or allow clients to request a different expiration period? If we are going to be enforcing (and probably regardless of this) I think we need a refresh token mechanism to get new tokens without requiring the password.
In the apps, we currently store passwords for self hosted users because we don't have an alternative. In a future where all our calls move away from XML-RPC, we would stop storing passwords like we do for WordPress.com/oAuth2. We can't be asking users to log in every week, so we need a system that allows us to renew credentials transparently.
I've been reading this article recently that does a good job of explaining the different alternatives: Access Token Lifetime