We noticed that for OAuth token validation, current OTK 3.1.2 ( I would assume other OTK version is the same) setup a global variable as expiry time for each type of tokens, like access token and refresh token.
The problem here is, for diferent client application the use case and scenario is various. Client A may need the refresh token last very long, but Client B may need it relatively shorter. With a single variable there could be confliction of demond.
I would suggest a way to setup token expiry time configurable for each client. Especially when OTK integrated with portal, would you please add 2 more fields in the "Auth" tab, say "access token expiry time" and "refresh token expiry time", and pass this with the rest of integration data to the gateway? I assume you also need add 2 columns in the client tables to store these configuration data.