I'm working with the Reddit API, which uses OAuth to authenticate users for the API.
The APIs for their OAuth mention that essentially you present the user with a webpage, and after they grant approval they're redirected back to your application which is given a code. You can then take this code and make a request to the API to be given an access token which you can store.
With the Reddit API specifically you can set a duration, either temporary or permanent. With permanent, it seemingly seems you need to restore a "refresh token" received alongside the above access token, as the access token will expire every hour, and the refresh token will allow you to be granted a new access token.
Am I correct in understanding this? What is the point of the "permanent" request if hourly it expires? Furthermore, how do I track this in an application sense? Do I set a timer for an hour after the initial token to request a new one? What if the app is closed, do I write the last request time to disk, check if it's been more than an hour, and refresh it otherwise?
Am I understanding refresh tokens properly and they have to be managed this... manually?
