I understand that the access-tokens are issued with a short expiration time in OAuth2 implicit flow, so that the application is forced to continually refresh them (using iframes or other means), giving the service a chance to revoke an application’s access if needed.
But what is the ideal expiration time? Should it be around 15 mins/more/less?