The desktop application I am developing (C#/.NET, WPF) uses a feature which requires connection to IMAP- and SMTP servers of the user. I am using a package called MailKit for this. Some of our users are using Microsoft365 and will require modern authentication in the future, as opposed to the basic authentication they are using right now. This is supported by MailKit and I am able to authenticate using OAuth2.0.
However, this requires a client secret, which expires after a certain amount of time (e.g. two years) after creation in Azure. This client secret is compiled with the application, after which the application is distributed. Does this mean the users need to update their installation at least every two years, so I can supply a new client secret? This is undesirable to our users. The best solution for me would be if I could refresh expired client secrets without the user having to perform any action.
Perhaps its a good idea to force the users to upgrade the software after two years? Like forcing them to buy an upgrade (business opportunity) or as a way to distribute fixes and updates to the application?
Most applications today you do update at least every year?