I am developing an Android app that connects to a MySQL database with a PHP API.
The user logs in with the app and (JWT) token and refresh token is stored in android.content.SharedPreferences.
The token expires after a few minutes (while testing it is two minutes, and the refresh token expires after one hour).
If a request is made by the app and the token has expired the refresh token is used to get a new token.
If the refresh token has expired the user is logged out.
The expiration times would get longer in production off course.
Is this the proper way? If so, how long i normal?
I feel like you don't get logged out as much from apps, once you are logged in.
That depends on the buisness logic of your application. For example, e-commerce could have longer time, while trading/investment application could have less time due to security reasons. This things is completely decided by the business analysts, and yeah for your question, yes it is the correct way of doing it, there are couple of other ways too.