I am implementing the authorization and authentication flow for an API. I was thinking of two-legged OAuth (as the API is only going to be used by us, not third-party applications). But I found some problems regarding to tokens and their expiration periods.
I would request an access_token to /ouath/token with the username and password of the user. This endpoint should return an JWT as access_token.
Next requests to the API will use that JWT to authenticate the user.
JWT's are supposed to expiry in a period time (1 day for example). I have read I need to implement a refresh endpoint in which the app could refresh the JWT in order no to ask the user for username and password every day.
So, ¿how could I generate that refresh_token? JWT's don't need to be stored in the DB (because of the crypto behind them) but, ¿refresh_tokens shoul be stored?
Thanks in advance