What is the maximum recommended expiry for an OAuth2 refresh token?

Question

I am trying to work out if there is a maximum recommended expiry for a refresh token in the OAuth2 standard. Ideally, I would like to find concrete recommendations that take into account the nature of the secure interaction or any associated risks (eg personal data).

Background- The OAuth2 standard provides a mechanism for obtaining new access tokens using a refresh token. Access tokens are expected to have a 'short' expiry and refresh tokens a 'long' expiry.

There are many examples online that talk about access and refresh token expiry durations for different applications (example), but none of these come with particularly strong rationale or a clear justification for a particular length.

This is for a healthcare application where data security is critical. We would like to use a long refresh token length (90 days) but I haven't been able to find guidance to help me understand the risks of using such a duration.

I'm working from: https://www.rfc-editor.org/rfc/rfc6749

Answer 1

The question that comes to mind is why 90 days if the data sensitivity is critical? A session time such as 30 minutes seems like a better option. Is this related to poor login usability where users forget passwords? If so, OAuth can help. Some notes of mine here may help a little .. https://authguidance.com/2017/10/24/user-sessions-and-token-renewal/