My 2 cents,
+1 on it and call it a day
On 2014-05-05, Corinne Krych wrote:
@summers, to me the default option should be to store refresh token
at “session” level (i.e.: in memory storage). that way renewal of access token can be done
transparently without having to re-grant the app.
However if the developer choose permanent storage, we could propose encrypted storage
which required password. Obviously as @abstractj mentioned it, we have the trade-off of
password prompting which implies some constraints in workflow management.
Password should be used once to store the refresh tokens and used at each start up of the
app to retrieved refresh token from permanent storage to memory.
--
abstractj