[OIDC improvement]: use refresh_token

[guimard]

OIDC provides 2 kinds of refresh_token:

• offline RT: for example for mobile app
• online RT: for example for webmail

Following security guidelines, a relying party should receive short-term access_token (around 10mn) with a refresh_token that permit to the RP to get new access_token during refresh_token life. Same for mobile app. The only difference is the TTL of the refresh_token:

• same than SSO session for "online" RT (Linshare web)
• some months/years for "offline" RT (mobile app)

Job done for Twake-Mail.

[fabienmoyon]

Hello @guimard,

For the mobile app, it's done with permanent tokens managed by the application but for the LinShare web we will plan that.

Regards,
Fabien