Can I use the request token given by the OAuth provider and use it forever? I am looking to build a service which interacts with the Delicious api and looks for updated bookmarks every fortnight. I was just wondering if I could use the same request token instead of asking the user to authenticate again and again. If I cannot, which is what I guess the answer will be, what would be a best practice for such an action?
My last option would be to expect users to give up their delicious username and passwords to me, in which case, my job becomes extremely easy.
This is implementation-specific - you'll have to see what the Delicious docs say about the token. It may expire, have limited uses, or have side effects when used.
Most OAuth implementations will probably expire their tokens at some point to reduce the number of valid tokens they have to keep track of.
In general, user-agent help should make this less of an issue for SSO authentication systems - when the user shows up without a valid token, the browser is redirected to the authenticator, which looks at stored credentials on the browser (usually cookies) and redirects the user back with a new token, without any user interaction. This can be more complex for OAuth than for OpenID, since it might not be appropriate to issue a new token if it does more than authenticate. And since the authentication/authorization process is implementation specific, you need to be able to enter new credentials unless you know that the token will be valid.