mod_http_oauth2: Shorten default token validity periods With refresh tokens, short lifetime for access tokens is not a problem. The arbitrary choice of one hour seems reasonable. RFC 6749 has it as example value. One week for refresh tokens matching the default archive retention period. This means that a client that remains unused for one week will have to sign in again. An actively used client will continually push that forward with each used refresh token.

--- a/mod_http_oauth2/README.markdown	Sun Jul 23 02:56:08 2023 +0200
+++ b/mod_http_oauth2/README.markdown	Mon Jul 24 01:30:14 2023 +0200
@@ -100,8 +100,8 @@
 The defaults are recommended.
 
 ```lua
-oauth2_access_token_ttl = 86400 -- 24 hours
-oauth2_refresh_token_ttl = nil -- unlimited unless revoked by the user
+oauth2_access_token_ttl = 3600 -- one hour
+oauth2_refresh_token_ttl = 604800 -- one week
 ```
 
 ### Dynamic client registration