[aerogear-dev] Android OAuth2 PR

Bruno Oliveira bruno at abstractj.org
Mon May 5 17:40:51 EDT 2014

My 2 cents,

+1 on it and call it a day

On 2014-05-05, Corinne Krych wrote:
> @summers, to me the default option should be to store refresh token at “session” level (i.e.: in memory storage). that way renewal of access token can be done transparently without having to re-grant the app.
> However if the developer choose permanent storage, we could propose encrypted storage which required password. Obviously as @abstractj mentioned it, we have the trade-off of password prompting which implies some constraints in workflow management.
> Password should be used once to store the refresh tokens and used at each start up of the app to retrieved refresh token from permanent storage to memory.



More information about the aerogear-dev mailing list