So the most common approach I have seen is to use oauth2 with a short (5min) expirey access token and a long (1 month) expirey refresh token.

This means that once the user logs in, they can not use the app for up to a month before they will be asked to re login.

The access token is sent with every request to resourse servers and the refresh token is used every 5min to get a new access token from the auth server.

If the user wishes to 'log out' they can ask the auth to revoke their refresh token. After that, their access token is only good for 5min and they will need to log in with their user/pass again.

So the most common approach I have seen is to use oauth2 with a short (5min) expirey access token and a long (1 month) expirey refresh token.

This means that once the user logs in, they can abstain from using the app for up to a month before they will be asked to re login.

The access token is sent with every request to resourse servers and the refresh token is used every 5min to get a new access token and refresh token from the auth server.

If the user wishes to 'log out' they can ask the auth to revoke their refresh token. After that, their access token is only good for 5min and they will need to log in with their user/pass again.