Refresh token setting/management command documentation not clear

[clintonb]

The documentation around cleartokens command and the REFRESH_TOKEN_EXPIRE_SECONDS setting needs clarification.

The management command documentation mentions a default 1 day delay that is not actually in the codebase. This documentation should clearly state that the REFRESH_TOKEN_EXPIRE_SECONDS setting must be set in order to actually remove expired tokens. Additionally, the management command should alert the user if no tokens will be deleted due to the setting not being set.

The documentation for the REFRESH_TOKEN_EXPIRE_SECONDS setting should also state that the value is required to clear tokens. No emphasis is given to this, so it is too easy to miss this fact. It would also be ideal if a reasonable default were set rather than issuing refresh tokens with unlimited lifetimes.

[doc-E-brown]

Can we extend this to the documentation for using the refresh token in general? It is unclear as to how the refresh token can be used to renew the authorisation token. Thx!

[FMCorz]

I got here because cleartokens did not seem to work for me. I did not realise that the REFRESH_TOKEN_EXPIRE_SECONDS setting was set to None by default. This should be clarified in the docs. I would also suggest to give it a default as IMHO refresh tokens should not be valid forever.