It makes sense for many apps, but my problem is how would a purely clientside non-web IRC client handle refreshing a token? Since the client secret needs to stay secret it can’t be shipped in the program, since it would only be obscured at most. Going through the whole authorization process every 12 hours isn’t feasible either for a non-web client where it is pretty intrusive. Is every user supposed to register their own application so they each have their own client secret? Am I missing something?
I think expiring tokens makes a lot of sense, it would prevent leaked tokens that are years old to still be valid. But for some apps a more reasonable timeframe is necessary. Going through the authorization process e.g. every month wouldn’t impact users too much but would still reduce some of the risk.