Only Implicit OAuth 2.0 web-based flow (no client secret) is supported.
Refreshing tokens is not supported (this is only available in the
Authorization Code flow, which requires the cooperation of a server and cannot
be implemented purely client-side).
Tokens normally expire after one hour (actual length depends on the provider
Authenticating requires navigating to a URL on a different domain, and that is
only possible by letting the user click on a plain HTML link
(<a href="...">); this means that the browser will navigate to a different
page and the current state of the application will be lost.
Passing a state (or nonce) to the authentication request in order to prevent
request forgery attacks is not supported (this is because it is not possible
to keep such generated state in memory and verify it after the authentication
callback, since the application is restarted in the meanwhile and all its
state is lost).