[aerogear-dev] Android OAuth2 PR
Bruno Oliveira
bruno at abstractj.org
Mon May 5 17:40:51 EDT 2014
My 2 cents,
+1 on it and call it a day
On 2014-05-05, Corinne Krych wrote:
> @summers, to me the default option should be to store refresh token at “session” level (i.e.: in memory storage). that way renewal of access token can be done transparently without having to re-grant the app.
> However if the developer choose permanent storage, we could propose encrypted storage which required password. Obviously as @abstractj mentioned it, we have the trade-off of password prompting which implies some constraints in workflow management.
> Password should be used once to store the refresh tokens and used at each start up of the app to retrieved refresh token from permanent storage to memory.
--
abstractj
More information about the aerogear-dev
mailing list