Two Legged (Oauth2 Client Credentials Flow)
Primarily used when a trusted system (that is capable of securely storing the client id and client secret) needs access to your ORDS REST services.
Three Legged (Oauth2 Authorization Code Flow)
As the name implies, this method involves three parties. The client (the party calling the service), the provider (the party providing the REST service) and the party which owns the data. This flow is primarily used for business to consumer flows.
Both of the above methods utilize tokens to authorize clients to access ORDS REST services for a pre-defined period of time.
Extending the Default Token Lifetime
I am yet to find this in any documentation, but it is possible to change this default by adding a parameter 'security.oauth.tokenLifetime' to the defaults.xml file. When you initially install ORDS (at least as of R3.0.5) this parameter does not exist in defaults.xml so I assume the 3600 is hard coded somewhere in the ORDS code. You can add the new line anywhere in the defaults.xml file. Here is a sample entry to change the default to two hours: