OAuth 2.0 username-password flow: Is the access token long lived?
You should check the operation response and handle any exception. If the response is an 401 containing this JSON:
[ { message: 'Session expired or invalid'
, errorCode: 'INVALID_SESSION_ID'
}
]
, you could call a refresh_token flow like this :
However, you only get the refresh token from the Web server and User-Agent as is indicated here.
If the application uses the username-password OAuth authentication flow, no refresh token is issued, as the user cannot authorize the application in this flow. If the access token expires, the application using username-password OAuth flow must re-authenticate the user.
So, I think that after login using user-password flow, you should re-authenticate the user or change the flow.
Refresh Token
The refresh token may have an indefinite lifetime, persisting until explicitly revoked by the end-user. The client application can store the refresh token, using it to periodically obtain fresh access tokens, but should be careful to protect it against unauthorized access, since, like a password, it can be repeatedly used to gain access to the resource server. Since refresh tokens may expire or by revoked by the user outside the control of the client application, the client must handle failure to obtain an access token, typically by replaying the protocol from the start.
I recommend you to read this article of digging deeper into OAuth in force