[I work for DocuSign. I consulted with the DocuSign Authorization engineering team to prepare this answer.]
The lifetime for refresh tokens vary depending on a variety of authentication policies.
After it expires, the client uses the Authorization Code Grant flow to request new tokens.
Since the human needs to be present whenever the Authorization Code Grant flow is used, this authentication technique should only be used for integrations where the authenticated user is present ("User Applications").
Other authentication techniques should be used for "Service Integrations."
Added
Not all Refresh Tokens in the DocuSign system have the same lifetime. Some will last for x amount of time, others will last for y amount of time. Why some will last for x and others for y depends on various authentication policies:
- DocuSign platform policies
- Account (customer) policy
- The type of authentication that was performed when the user logged in
- Etc
Re: other companies just use "14 days." DocuSign authentication enables the authenticated person to sign legal documents. So the question of the DocuSign token lifetime is not simple.
Bottom line: test your app to ensure that it gracefully handles expiration of both access and refresh tokens.
Added Aug 2018
Access Tokens received via the OAuth Authorization Code Grant flow usually have an 8 hour life. The accompanying Refresh Token usually has a 30 day life.
If extended scope is not requested in the authentication flow, then the Refresh Token, when used will return a new Refresh Token that will have the same expiration date as the original.
But if extended scope is requested, then, when the Refresh Token is used, the returned (new) Refresh Token will normally be good for an additional 30 days from that time.
So if extended scope is requested, and the user logs in at least once every 30 days, then the original and newly provided Refresh Tokens will enable the user to never have to re-authenticate himself or herself.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
