We Keep Coding

When is the right time to logout the user using JWT, the time when access token expires or the time when the refresh token expires?

I am using JWT for authenticating users. I can see two types of tokens (access token to make requests to the back-end and refresh token) generated by JWT. So, my question is when the right is time to logout the user? The time when the access token expires or the time when the refresh token expires?
What is the better way to get the new access token using the refresh token endpoint according to the user's active or inactive state?

the refresh token exists so that your service can keep using the credentials of the user on their behalf even after the access token expires. so if you have a refresh token, there is no need to "logout the user" when their access token expires
A Refresh Token contains the information required to obtain a new Access Token or ID Token.
Typically, a user needs a new Access Token when gaining access to a resource for the first time, or after the previous Access Token granted to them expires.
https://auth0.com/docs/tokens/refresh-token/current
If you let the access token expire and do not use the refresh token to generate a new access token, the user will have to log in again if you would like to perform some action on their behalf (access a resources using their access token). The user is "logged out" when their refresh token expires. The user does not need to be active for you to use their refresh token

Do Facebook has a refresh token of OAuth?

Do Facebook has a refresh token of OAuth?
I wanna know if there is a refresh token, how long will it be expired? 60days?
And if Facebook don't have refresh token, then can I understand the long live access token as the refresh token, and short live access token as the access token?
Thanks.

Facebook does not provide a refresh token.
Facebook provides two kinds of access tokens,
Short lived access token:
A token that is expired after a short period of time (about 2 hours).
Short lived access tokens are usually used on web clients.
Long-lived access tokens: An access token which has a long life (about 60 days).
Long lived access tokens are usually used on mobile apps and server side.
You can generate long lived access tokens with the Facebook SDKs for Android and iOs, These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after the preset expiry and the person will have to go through the login flow again to get a new token.
It is possible to exchange a valid short lived access token for a long lived access token.
The documentation explains well about the tokens, exchanging methods, call parameters etc..
And if Facebook don't have refresh token, then can I understand the long live access token as the refresh token, and short live access token as the access token?
No.You can't. Refresh token is a token that may be used to obtain a new access token.
Facebook SDKs can refresh an access token at regular intervals before token expiry if connected.

whats the lifetime of Github OAuth API access token

what is the expiry time of github oauth access token. And also how do I renew it. I don't see any refresh token in their documentation. Please guide me. Thanks in advance.

2014: As commented in this "GitHub OAuth Busy Developer's Guide"
Tokens don't have to expire.
They only send back the access token and an expiration (field "expires_in", seen as far back as 2013) if the offline_access scope is not requested (as it is the case for a refresh token).
Right now, GitHub just assumes all apps want offline access.
You can check an OAuth application authorization, delete it or revoke it.
But the token itself doesn't seem to be bound to an expiry date unless they are not use for one year.
badsyntax adds in the comments:
I also found this useful:
"An OAuth token does not expire until the person who authorized the OAuth App revokes the token."
From "Migrating OAuth Apps to GitHub Apps".
Stokito points out in the comments to rfc6749 / 4.2.2 Access Token Response:
expires_in
RECOMMENDED.
The lifetime in seconds of the access token.
For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the expiration time via other means or document the default value.

Generally, the access_token of GitHub has no expiry until you revoke the OAuth token.
You can consider to opt in to GitHub App expiration token beta feature. This would make your app use expiring user tokens valid for 8hrs, and refresh tokens valid for 6 months
Here's an official step by step guide

GitHub will automatically revoke an OAuth token or personal access token when the token hasn't been used in one year.
https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/token-expiration-and-revocation#token-expired-due-to-lack-of-use
Interestingly, some other OAuth providers issue short-lived access tokens and long-lived refresh tokens, as suggested discretionally in the OAuth spec. For example, GitLab OAuth "access tokens expire in two hours" and each refresh token may only be used once. This mitigates the damage that stolen access tokens can do.

Page access token validity

From the facebook Document-
By using a long-lived user access token, querying the [User ID]/accounts endpoint will now provide page access tokens that do not expire for pages that a user manages. This will also apply when querying with a non-expiring user access token obtained through the deprecated offline_access permission.
So according to document a page access will not expires if we are requesting the page access token using a long lived user access token.
I want to know whether the page access token will expire as the long lived access token expires?
What happens to the page access token obtained using long lived access token after the long lived access token has been expired (after 60 days)?

Facebook long-lived and short-lived access tokens, and their expirancy after offline_access removal

While reading Facebook's post regarding offline_access permission removal, I was thoroughly confused by their reference to short-lived and long-lived access tokens.
This page mentioned
The duration for which a given access token is valid depends on how it
was generated
But I failed to find any further information.
Anyone has insights on how this determination process works in detail?

The access token your app gets for a Client-Side authentication is short lived (about 2 hours), but you can extend it and get a long lived token using the new endpoint with a valid access token.
In the Handling Invalid/Expired Access Tokens it says under Desktop Web and Mobile Web apps which implement authentication with the Javascript SDK:
Calling FB.getLoginStatus() or ensuring status: true is set when you
call FB.init() means that the next time a user lands on your
application and is signed into Facebook, the authResponse object you
are passed as a result of those calls will contain a fresh, valid
access token.
In this case, its simply the act of the user using your application
which implicitly generates a new access token.
If you use the Server-Side authentication flow then you will automatically get a long lived token (about 60 days) automatically.
When that expires you have to send the user to re-authenticate in the same flow (code exchanging).
You can of course use both methods and that way you can get a long lived token in the server and a short lived token in the client.