On 08/06/2013 02:21 PM, Kanavin, Alexander wrote:
How about the following situation:
- the access token is valid for 1 day, not for 1 hour - the app is a
small helper that runs every 10 minutes and then exits (maybe it
updates a facebook feed, or something similar), so it's not able to
keep the access token in its process memory.
Then the refreshes are 144 times more frequent than is expected. If
you have shipped a lot of devices that behave like this, the service
may well decide to block the client key for misbehaviour.
I never saw anything like this. Using refresh tokens is not mandatory;
of course it's possible that some server decides otherwise, but I'd
worry about that only when you point me at some real cases. :-)