mod_http_oauth2: Shorten default token validity periods With refresh tokens, short lifetime for access tokens is not a problem. The arbitrary choice of one hour seems reasonable. RFC 6749 has it as example value. One week for refresh tokens matching the default archive retention period. This means that a client that remains unused for one week will have to sign in again. An actively used client will continually push that forward with each used refresh token.

# mod_tos

A very drafty module to implement some kind of Terms of Service acceptance
tool.

Currently, this only works with clients implementing this very drafty
protocol. The result of the experiments will be an update to the
[ToS ProtoXEP](https://xmpp.org/extensions/inbox/tos.html), with the goal
of acceptance.