Check the step 4 and 5. There is some ambiguity on how to refresh the "Access Token" once it expires. Step 4 talks about getting a session handle and a expiry time for that handle (see the table not the response string) but no where that is used in step 5.
Also it has no detials on how long the request token is valid.
Is session_handle analogous to user hash in BBAuth?