I have this challenge and not sure how to correctly deal with it.
We have an application with API, we also have a third party application that needs to access the API on behalf of their users. These third party application must get their user’s consent to access the first-party.
What we are doing at the moment is to have the third-party application store the access_token provided during consent with the user’s account. This enables the third-party app to then call the API on behalf of the user. This works fine but the challenge comes in when that access_token expires and the thrid party still needs to call the API on the user’s behalf. This consent should be given to the third-party application indefinately. (The user still has the ability on the first-party app to revoke this grant at any time)
How do we deal with I when the access_token expires as we do not want ask the user for their consent as they will not be online and it is not UX friendly?
Can we set this granted access_token to never expire or do we also have include offline_access to use a refresh token?