Allow clients to request limited lifetime access_tokens

[ckarlof]

I propose we add an parameter in https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md#post-v1authorization to do this.

The main use case I have in mind is for Reading List in Desktop to address some kind of revocation. IF the user loses her device, the only mechanism she has to revoke things is password reset. Reading List will be using the implicit grant flow to get a token for the logged in user on Desktop and it would be nice if it could request limited lifetime token. Then when the user resets her password, her FxA session token will expire and her browser's token will no longer be able to mint BiD assertions and get new OAuth tokens.

Otherwise, we'll have to just request a new token for each request (or at startup), and fill our DB with orphaned tokens. :)

@seanmonstar and @rfk, nothing urgent, but it would be nice to address this in the next 4 weeks or so.

[rfk]

This fell off our radar for a while. Given current readinglist timeframes, is it something we should try to push through for end of quarter or have we missed the boat for the initial version?

[ckarlof]

RL will be going with a persistently stored "forever" token in v1.

I think a good Q2 effort would be:

1. Issue refresh tokens by default, and make it so all access tokens have limited lifetimes.
2. Add a new endpoint to request an access token with a refresh token, for a subset of the scopes assigned to the refresh token.
3. Change access tokens to be JWTs and offline verifiable (#185).

[rfk]

Yep, this will be a top priority for Q2.

1. Issue refresh tokens by default, and make it so all access tokens have limited lifetimes.

It will be interesting to see how much of this can be b/w compatible, and how much we can get away with just expiring people's tokens without changing the API.